CN116529730A - Privacy preserving machine learning using secure multiparty computing - Google Patents
Privacy preserving machine learning using secure multiparty computing Download PDFInfo
- Publication number
- CN116529730A CN116529730A CN202180079925.8A CN202180079925A CN116529730A CN 116529730 A CN116529730 A CN 116529730A CN 202180079925 A CN202180079925 A CN 202180079925A CN 116529730 A CN116529730 A CN 116529730A
- Authority
- CN
- China
- Prior art keywords
- share
- mpc
- computing system
- user
- user profile
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000010801 machine learning Methods 0.000 title abstract description 73
- 238000000034 method Methods 0.000 claims abstract description 107
- 239000013598 vector Substances 0.000 claims description 151
- 230000008569 process Effects 0.000 claims description 47
- 239000011159 matrix material Substances 0.000 claims description 36
- 238000012549 training Methods 0.000 claims description 31
- 238000003860 storage Methods 0.000 claims description 28
- 238000004590 computer program Methods 0.000 claims description 13
- 230000006870 function Effects 0.000 description 36
- 238000012545 processing Methods 0.000 description 19
- 230000002776 aggregation Effects 0.000 description 17
- 238000004220 aggregation Methods 0.000 description 17
- 230000004044 response Effects 0.000 description 16
- 238000004422 calculation algorithm Methods 0.000 description 12
- 235000014510 cooky Nutrition 0.000 description 10
- 230000003993 interaction Effects 0.000 description 9
- 238000004364 calculation method Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 8
- 239000002131 composite material Substances 0.000 description 8
- 238000013515 script Methods 0.000 description 8
- 239000000047 product Substances 0.000 description 7
- 230000009471 action Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000036961 partial effect Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 4
- 238000013500 data storage Methods 0.000 description 4
- 238000009826 distribution Methods 0.000 description 4
- 238000013507 mapping Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000000644 propagated effect Effects 0.000 description 3
- 101710165590 Mitochondrial pyruvate carrier 1 Proteins 0.000 description 2
- 102100024828 Mitochondrial pyruvate carrier 1 Human genes 0.000 description 2
- 101710101695 Probable mitochondrial pyruvate carrier 1 Proteins 0.000 description 2
- 230000004931 aggregating effect Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000001934 delay Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000004366 reverse phase liquid chromatography Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 239000013589 supplement Substances 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 229920002430 Fibre-reinforced plastic Polymers 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 239000000872 buffer Substances 0.000 description 1
- 238000010411 cooking Methods 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 239000011151 fibre-reinforced plastic Substances 0.000 description 1
- 238000010413 gardening Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 238000005304 joining Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computing arrangements using knowledge-based models
- G06N5/04—Inference or reasoning models
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2413—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
- G06F18/24147—Distances to closest patterns, e.g. nearest neighbour classification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computational Linguistics (AREA)
- Evolutionary Biology (AREA)
- Databases & Information Systems (AREA)
- Medical Informatics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present disclosure relates to a privacy preserving machine learning platform. In one aspect, a method includes receiving, by a first computing system of a plurality of multi-party computing (MPC) systems, an inference request including a first share of a given user profile. A number k of nearest neighbor user profiles that are considered to be most similar to a given user profile are identified. The first computing system identifies a first set of nearest neighbor profiles based on a first share of the given user profile and a k-nearest neighbor model. The first computing system receives, from each of one or more second computing systems of the plurality of MPC systems, data indicative of a respective second set of nearest neighbor profiles identified by the second computing system based on a respective second share of the given user profile and a respective second k-nearest neighbor model trained by the second computing system.
Description
Cross Reference to Related Applications
The present application claims priority from IL application No. 277761 filed on 10/2/2020. The disclosures of the foregoing applications are incorporated herein by reference in their entirety.
Technical Field
The present specification relates to a privacy preserving machine learning platform that uses secure multiparty computing to train and use machine learning models.
Background
Some machine learning models are trained based on data collected from multiple sources (e.g., across multiple websites and/or native applications). However, the data may include private or sensitive data that should not be shared or allowed to leak to other parties.
Disclosure of Invention
In general, one innovative aspect of the subject matter described in this specification can be embodied in methods that include: receiving, by a first computing system of a plurality of multi-party computing (MPC) systems, an inference request comprising a first share of a given user profile; identifying k nearest neighbor user profiles of the plurality of user profiles that are considered to be most similar to the given user profile, comprising: identifying, by the first computing system, a first set of nearest neighbor user profiles based on the first share of the given user profile and a first k-nearest neighbor model trained using the plurality of user profiles; receiving, by the first computing system, from each of one or more second computing systems of the plurality of MPC systems, data indicative of a respective second set of nearest neighbor profiles identified by the second computing system based on the respective second share of the given user profile and a respective second k-nearest neighbor model trained by the second computing system; identifying, by the first computing system, the number k of nearest neighbor user profiles based on the first set of nearest neighbor user profiles and each second set of nearest neighbor user profiles; generating, by the first computing system, a first share of an inference result based on respective labels of each of k nearest neighbor user profiles, wherein the labels of each user profile predict one or more user groups to which a user corresponding to the user profile is to be added, and wherein the inference result indicates whether a given user corresponding to the given user profile is to be added to a given user group; and providing, by the first computing system, the first share of the inferred result and the respective second shares of the inferred result received from each of the one or more second computing systems to the client device. Other embodiments of this aspect include corresponding apparatuses, systems, and computer programs configured to perform aspects of the methods encoded on computer storage devices.
These and other implementations can each optionally include one or more of the following features. In some aspects, the inference request includes an encrypted second share of the given user profile encrypted using an encryption key of the second computing system. Some aspects may include transmitting the encrypted second share of the given user profile to a second computing system.
In some aspects, the second share of the inferred result is encrypted using an encryption key of an application of the client device. In some aspects, the labels of each user profile have a boolean type for binary classification. Generating the first share of the inference result may include determining a first share of a sum of labels of the k nearest neighbor user profiles, receiving a second share of the sum of labels of the k nearest neighbor user profiles from the second computing system, determining the sum of labels based on the first share of the sum of labels and the second share of the sum of labels, determining that the sum of labels exceeds a threshold, determining to add the given user to the given user group as the inference result in response to determining that the sum of labels exceeds the threshold, and generating the first share of the inference result based on the inference result.
In some aspects, the tag of each user profile has a numerical value. Generating the first share of the inference result may include determining a first share of a sum of labels of the k nearest neighbor user profiles, receiving a second share of the sum of labels of the k nearest neighbor user profiles from the second computing system, determining a sum of labels based on the first share of the sum of labels and the second share of the sum of labels, determining that the given user is to join the given user group as the inference result based on the sum of labels, and generating the first share of the inference result based on the inference result.
In some aspects, the tag of each user profile has a classification value. Generating the first share of the inference result may include: for each tag in the set of tags, determining a first share of the frequencies of the tags for the user profiles in the k nearest neighbor profiles, receiving a second share of the frequencies of the tags for the user profiles in the k nearest neighbor profiles from the second computing system, and determining the frequencies of the tags for the user profiles in the k nearest neighbor profiles based on the first share and the second share of the frequencies of the tags for the user profiles in the k nearest neighbor profiles. Some aspects may include identifying a tag having a highest frequency, assigning a given user to join a given group of users corresponding to the tag having the highest frequency as an inferred result, and generating a first share of the inferred result based on the inferred result.
Some aspects may include training a first k-nearest neighbor model using a secure MPC process in cooperation with one or more second computing systems using a first secret share of a plurality of user profiles maintained by the first computing system and a corresponding second secret share of a plurality of user profiles maintained by the one or more second computing systems.
Some aspects may include training a first k-nearest neighbor model. Training may include creating a first share of a random bit flip pattern in cooperation with a second computing system; generating a first share of the bit matrix by projecting the first share of each of the plurality of user profiles onto a set of random projection planes; modifying the first share of the bit matrix by modifying one or more bits of the first share of the bit matrix using the first share of the bit flip pattern; providing a first portion of the first share of the modified bit matrix to a second computing system; the method includes receiving, from the second computing system, a second half of the second share of the modified bit matrix generated by the second computing system using the second share of the user profile and the second share of the random bit flip pattern in the plurality of user profiles, and reconstructing, by the first computing system, a bit vector of the second half of the first bit matrix using the second half of the first share of the modified bit matrix and the second half of the second share of the modified bit matrix. Creating the first share of the random bit flip pattern in cooperation with the second computing system may include generating a first m-dimensional vector including a plurality of first elements (the plurality of first elements each having a value of zero or one), splitting the first m-dimensional vector into two shares, providing the first share of the first m-dimensional vector to the second computing system, receiving the first share of the second m-dimensional vector from the second computing system, and calculating the first share of the random bit flip pattern using the first m-dimensional vector and the shares of the second m-dimensional vector in cooperation with the second computing system. In some aspects, the plurality of MPC computing systems includes more than two MPC computing systems.
In some aspects, the client device calculates a given user profile using a plurality of feature vectors that each include a feature value related to an event of a user of the client device and a decay rate of each feature vector.
In some aspects, a client device calculates a given user profile using a plurality of feature vectors that each include feature values related to events of a user of the client device. Some aspects include classifying one or more of the feature vectors as sparse feature vectors, and classifying one or more of the feature vectors as dense feature vectors. Some aspects include generating a first share of a given user profile and a corresponding second share of the given user profile for one or more second computing systems using the sparse feature vector and the dense feature vector. Generating the first share and the respective one or more second shares of the given user profile may include splitting the sparse feature vector using a Functional Secret Sharing (FSS) technique.
The subject matter described in this specification can be implemented in specific embodiments to realize one or more of the following advantages. The machine learning techniques described in this document may identify users with similar interests and extend user group membership while preserving the privacy of the users, e.g., without requiring online activity of the users to be sent to the content platform. This protects user privacy with respect to such platforms and protects the security of the data from corruption during transmission or from the platform. Cryptographic techniques such as secure multiparty computing (MPC) enable user groups to be expanded based on similarities in user profiles without using third party cookies (cookies), which protects user privacy without adversely affecting the ability to expand user groups, and in some cases provides better user group expansion based on a more complete profile than is achievable using third party cookies. The MPC technique ensures that as long as one of the computing systems in the MPC cluster is legitimate (host), neither the computing system nor the other party can obtain the user data in the clear. Thus, the claimed method allows user data to be identified, grouped, and transmitted in a secure manner without requiring the use of third party cookies to determine any relationship between the user data. This is a different approach than previously known approaches, which typically require third party cookies to determine the relationships between data. By grouping user data in this way, the efficiency of transmitting data content to the user device is improved, since no data content that is not relevant to a particular user needs to be transmitted. In particular, no third party cookie is required, thereby avoiding storage of the third party cookie and improving memory usage. Exponential decay techniques may be used to establish a user profile at a client device to reduce the data size of the raw data required to establish the user profile, thereby reducing the data storage requirements of client devices that typically have very limited data storage.
Various features and advantages of the foregoing subject matter are described below with reference to the accompanying drawings. Additional features and advantages will be apparent from the subject matter described herein and from the claims.
Drawings
FIG. 1 is a block diagram of an environment in which a secure MPC cluster trains a machine learning model and the machine learning model is used to extend a user group.
FIG. 2 is a swim lane diagram of an example process for training a machine learning model and adding users to a user group using the machine learning model.
FIG. 3 is a flow chart illustrating an example process for generating a user profile and transmitting shares of the user profile to an MPC cluster.
FIG. 4 is a flow chart illustrating an example process for generating a machine learning model.
FIG. 5 is a flow chart illustrating an example process for adding users to a user group using a machine learning model.
FIG. 6 is a block diagram of an example computer system.
Like reference numbers and designations in the various drawings indicate like elements.
Detailed Description
In general, this document describes systems and techniques for training and using machine learning models to extend user group membership while protecting user privacy and ensuring data security. Typically, rather than creating and maintaining a user profile at a computing system of other entities such as a content platform, the user profile is maintained at a user's client device. To train the machine learning model, a user's client device can optionally send its encrypted user profile (e.g., as a secret share of the user profile) along with other data to multiple computing systems of a secure multi-party computing (MPC) cluster via a content platform. For example, each client device may generate two or more secret shares of the user profile and send the corresponding secret shares to each computing system. The computing system of the MPC cluster may use MPC technology to train a machine learning model for suggesting a user group for a user based on the user's profile in a manner that prevents any computing system of the MPC cluster (or other party than the user itself) from obtaining the profile of any user in the clear, thereby protecting user privacy. For example, using secret sharing and MPC techniques described in this document enables machine learning models to be trained and used, while user profile data for each user is always encrypted when the data is external to the user device. The machine learning model can be a k-nearest neighbor (k-NN) model.
After the machine learning model is trained, the machine learning model can be used to suggest one or more user groups for each user based on each user's profile. For example, a user's client device may query the MPC cluster for a group of users suggested for the user or determine whether the user should be added to a particular group of users. Various inference techniques may be used to identify a user group, such as binary classification, regression (e.g., using arithmetic mean or root mean square), and/or multi-class classification. User group membership of a user may be used in a privacy-preserving and secure manner to provide content to the user.
Example systems for generating and using machine learning models
FIG. 1 is a block diagram of an environment 100 in which a secure MPC130 cluster trains a machine learning model, and the machine learning model is used to extend a user group. The example environment 100 includes a data communication network 105, such as a Local Area Network (LAN), wide Area Network (WAN), the internet, a mobile network, or a combination thereof. The network 105 connects the client device 110, the secure MPC cluster 130, the publisher 140, the website 142, and the content platform 150. The example environment 100 may include many different client devices 110, secure MPC clusters 130, publishers 140, websites 142, and content platforms 150.
Client device 110 is an electronic device capable of communicating over network 105. Example client devices 110 include personal computers, mobile communication devices (e.g., smart phones), and other devices capable of sending and receiving data over the network 105. The client device can also include a digital assistant device that accepts audio input through a microphone and outputs audio output through a speaker. When the digital assistant detects a "hot word" or "hot phrase" that activates the microphone to accept audio input, the digital assistant can be placed in a listening mode (e.g., ready to accept audio input). The digital assistant device may also include a camera and/or a display to capture images and visually present information. The digital assistant may be implemented in different forms of hardware devices, including a wearable device (e.g., a watch or glasses), a smart phone, a speaker device, a tablet device, or another hardware device. The client device may also include a digital media device, such as a streaming device that plugs into a television or other display to stream video to the television, or a gaming device or console.
Client device 110 typically includes an application 112, such as a web browser and/or native application, to facilitate sending and receiving data over network 105. A native application is an application developed for a particular platform or a particular device (e.g., a mobile device with a particular operating system). The publisher 140 may develop and provide the native application to the client device 110, e.g., make the native application available for download. The web browser may request the resource 145 from a web server hosting the web site 142 of the publisher 140, for example, in response to a user of the client device 110 entering the resource address of the resource 145 in an address bar of the web browser or selecting a link referencing the resource address. Similarly, the native application may request application content from a remote server of the publisher.
Some resources, application pages, or other application content may include a digital component slot for rendering digital components with the resources 145 or application pages. As used throughout this document, the phrase "digital component" refers to a discrete unit of digital content or digital information (e.g., a video clip, an audio clip, a multimedia clip, an image, text, or another unit of content). The digital components may be electronically stored in the physical memory device as a single file or collection of files, and the digital components may take the form of video files, audio files, multimedia files, image files, or text files, and include advertising information such that the advertisements are one type of digital component. For example, the digital component may be content that is intended to supplement the content of a web page or other resource presented by the application 112. More specifically, the digital components may include digital content related to the resource content (e.g., the digital components may relate to the same theme as the web page content, or related themes). Thus, the provision of digital components may supplement and generally enhance web pages or application content.
When the application 112 loads a resource (or application content) that includes one or more slots of digital components, the application 112 can request the digital components of each slot. In some implementations, the digital component slot can include code (e.g., scripts) that cause the application 112 to request digital components from a digital component distribution system that selects digital components and provides the digital components to the application 112 for presentation to a user of the client device 110.
The content platform 150 may include a Supply Side Platform (SSP) and a demand side platform (SSP). In general, content platform 150 manages the selection and distribution of digital components on behalf of publishers 140 and digital component providers 160.
Some publishers 140 use SSPs to manage the process of obtaining digital components of their resources and/or digital component slots of applications. SSPs are technology platforms implemented in hardware and/or software that automate the process of obtaining digital components of resources and/or applications. Each publisher 140 can have a corresponding SSP or SSPs. Some publishers 140 may use the same SSP.
The digital component provider 160 may create (or otherwise publish) digital components that are presented in a digital component slot of the publisher's resources and applications. Digital component provider 160 may use a DSP to manage the provision of its digital components for presentation in a digital component slot. A DSP is a technical platform implemented in hardware and/or software that automates the process of distributing digital components for presentation with resources and/or applications. The DSP may interact with a plurality of supply side platforms SSPs on behalf of the digital component provider 160 to provide digital components for presentation with the resources and/or applications of a plurality of different publishers 140. In general, a DSP may receive a request for a digital component (e.g., from an SSP), generate (or select) selection parameters for one or more digital components created by one or more digital component providers based on the request, and provide data related to the digital component (e.g., the digital component itself) and the selection parameters to the SSP. The SSP may then select a digital component for presentation at the client device 110 and provide the client device 110 with data that causes the client device 110 to present the digital component.
In some cases, it may be beneficial for a user to receive digital components related to web pages, application pages, or other electronic resources that the user previously accessed and/or interacted with. To distribute such digital components to users, users may be assigned to groups of users, e.g., groups of user interests, groups of similar users, or other group types involving similar user data. For example, a user may be assigned to a user interest group when the user accesses a particular resource or performs a particular action at the resource (e.g., interacts with a particular item presented on a web page or adds an item to a virtual shopping cart). In another example, users may be assigned to groups of users based on a history of activity (e.g., a history of accessed resources and/or actions performed at the resources). In some implementations, the user group can be generated by the digital component provider 160. That is, when a user accesses the electronic resources of the digital component provider 160, each digital component provider 160 may assign the user to its user group.
To protect user privacy, for example, the user's group membership may be maintained at the user's client device 110 through one of the applications 112 or the operating system of the client device 110, rather than through the digital component provider, content platform, or other party. In a particular example, a trusted program (e.g., a web browser or operating system) may maintain a list of user group identifiers ("user group list") of users using the web browser or another application. The user group list may include a group identifier for each user group to which the user has been added. The digital component provider 160 that created the user group may specify the user group identifier of its user group. The user group identifier of the user group may describe the group (e.g., a gardening group) or be a code (e.g., a non-descriptive alphanumeric sequence) representing the group. The user group list of users may be stored in a secure store at client device 110 and/or may be encrypted at the time of storage to prevent others from accessing the list.
When the application 112 presents a resource or application content associated with the digital component provider 160, or a web page on the web site 142, the resource may request that the application 112 add one or more user group identifiers to the user group list. In response, application 112 may add one or more user group identifiers to the user group list and securely store the user group list.
The content platform 150 may use the user group membership of the user to select digital components or other content that may be of interest to the user or may be otherwise beneficial to the user/user device. For example, such digital components or other content may include data that improves the user experience, improves the operation of the user device, or in some other way benefits the user or user device. However, the user group identifiers of the user group list of users may be provided in a manner that prevents the content platform 150 from correlating the user group identifiers with particular users, thereby protecting user privacy when using the user group membership data to select digital components.
The application 112 may provide the user group identifier from the user group list to a trusted computing system that interacts with the content platform 150 to select digital components for presentation at the client device 110 based on the user group membership in a manner that prevents the content platform 150 or any other entity that is not the user itself from knowing the complete user group membership of the user.
In some cases, it may be beneficial for users and digital component providers to extend a user group to include users that have similar interests or other similar data to users that are already members of the user group. For example, a first user may be interested in skiing and may be a member of a user group for a particular ski resort. The second user may also be interested in skiing, but is unaware of the ski resort and is not a member of the ski resort. If two users have similar interests or data (e.g., similar user profiles), a second user may be added to the user group of the ski resort such that the second user receives content (e.g., digital components) that is relevant to the ski resort and that may be of interest or otherwise beneficial to the second user or user device thereof. In other words, the user group may be expanded to include other users having similar user data.
Advantageously, the user may be added to the user group without using a third party cookie. As described above, a user profile may be maintained at the client device 110. This protects user privacy by preventing the user's cross-domain browsing history from sharing with external parties, reduces the bandwidth consumed by sending cookies over the network 105 (which is massive in aggregate across millions of users), reduces the storage requirements of the content platform 150 that typically stores such information, and reduces the battery consumption of the client device 110 for maintaining and sending cookies.
The secure MPC cluster 130 may train a machine learning model that suggests groups of users to the user (or applications 112 thereof) based on the user's profileOr may be used to generate suggestions for a group of users. The secure MPC cluster 130 includes two computing systems MPC that execute secure MPC techniques to train a machine learning model 1 And MPC 2 . Although the example MPC cluster 130 includes two computing systems, more computing systems may be used as long as the MPC cluster 130 includes more than one computing system. For example, the MPC cluster 130 may include three computing systems, four computing systems, or another suitable number of computing systems. The use of more computing systems in the MPC cluster 130 may provide more security and fault tolerance, but may also increase the complexity of the MPC process.
Computing system MPC 1 And MPC 2 May be operated by different entities. In this way, each entity may not have access to the complete user profile in plain text. Plaintext is text that is not computationally marked, specially formatted, or written in code or data (including binary files), in a form that can be viewed or used without the need for a key or other decryption device or other decryption process. For example, computing system MPC 1 Or MPC 2 One of which may be operated by a trusted party different from the user, publisher 140, content platform 150, and digital component provider 160. For example, industry group, government group or browser developers may maintain and operate a computing system MPC 1 And MPC 2 One of them. Another computing system may be operated by a different one of the groups such that a different trusted party operates each computing system MPC 1 And MPC 2 . Preferably, the different computing systems MPC are operated 1 And MPC 2 Is not motivated by collusion to endanger the privacy of the user. In some implementations, a computing system MPC 1 And MPC 2 Is architecturally separate and is monitored to not communicate with each other outside of executing the secure MPC process described in this document.
In some implementations, the MPC cluster 130 trains one or more k-NN models for each content platform 150 and/or for each digital component provider 160. For example, each content platform 150 may manage the distribution of digital components of one or more digital component providers 160. The content platform 150 may request that the MPC cluster 130 train a k-NN model for one or more of the digital component providers 160 for which the content platform 150 manages the distribution of digital components. In general, the k-NN model represents the distance between user profiles (and optionally additional information) of a group of users. Each k-NN model of the content platform may have a unique model identifier. An example process for training the k-NN model is shown in FIG. 4 and described below.
After training the k-NN model for the content platform 150, the content platform 150 may query or cause the application 112 of the client device 110 to query the k-NN model to identify one or more user groups of users of the client device 110. For example, the content platform 150 may query the k-NN model to determine whether a threshold number of "k" user profiles closest to the user are members of a particular user group. If so, the content platform 150 may add the user to the user group. If a user group is identified for a user, the content platform 150 or the MPC cluster 130 may request the application 112 to add the user to the user group. If approved by the user and/or application 112, application 112 may add the user group identifier of the user group to the user group list stored at client device 110.
In some implementations, the application 112 can provide a user interface that enables a user to manage the user groups to which the user is assigned. For example, the user interface may enable a user to remove a user group identifier, preventing all or particular resources 145, publishers 140, content platforms 150, digital component providers 160, and/or MPC clusters 130 from adding users to a user group (e.g., preventing an entity from adding a user group identifier to a list of user group identifiers maintained by application 112). This provides better transparency, selection/consent and control for the user.
In addition to the description throughout this document, controls may be provided to the user (e.g., user interface elements with which the user may interact), allowing the user to select whether and when the systems, programs, or features described herein may enable collection of user information (e.g., information about the user's social network, social actions or activities, profession, user's preferences, or the user's current location), and whether to send content or communications from the server to the user. In addition, certain data may be processed in one or more ways before it is stored or used so that personally identifiable information is removed. For example, the identity of the user may be processed such that personally identifiable information of the user cannot be determined, or the geographic location of the user may be generalized (such as to a city, zip code, or state level) where location information is obtained such that a particular location of the user cannot be determined. Thus, the user can control what information is collected about the user, how that information is used, and what information is provided to the user.
Example procedure for generating and Using machine learning models
FIG. 2 is a swim lane diagram of an example process 200 for training a machine learning model and adding users to a user group using the machine learning model. Operation of process 200 may be performed, for example, by a computing system MPC of client device 110, MPC cluster 130 1 And MPC 2 A content platform 150. The operations of process 200 may also be implemented as instructions stored on one or more computer-readable media, which may be non-transitory, and execution of the instructions by one or more data processing apparatus may cause the one or more data processing apparatus to perform the operations of process 200. Although the process 200 and other processes below are described in terms of two computing system MPC clusters 130, MPC clusters having more than two computing systems may also be used to perform similar processes.
The content platform 150 may initiate training and/or updating of one of its machine learning models by requesting that the application 112 running on the client device 110 generate a user profile for its respective user and upload the secret shares and/or encrypted versions of the user profile to the MPC cluster 130. For the purposes of this document, the secret share of the user profile may be considered an encrypted version of the user profile, because the secret share is not in plaintext. Upon generation, each application 112 may store data for the user profile and generate an updated user profile in response to receiving a request from the content platform 150. Because the content and machine learning model of the user profile may vary from one content platform 150 to another, the application 112 running on the user's client device 110 may maintain data and generate multiple user profiles, each specific to a particular content platform or a particular model owned by a particular content platform.
The application 112 running on the client device 110 establishes a user profile for a user of the client device 110 (202). The user profile of the user may include data related to events initiated by the user and/or events that may have been initiated by the user with respect to an electronic resource (e.g., web page or application content). Events may include a view of an electronic resource, a view of a digital component, a user interaction or lack of user interaction with an electronic resource or digital component (e.g., selection of an electronic resource or digital component), a transition that occurs after a user interaction with an electronic resource, and/or other suitable events related to a user and an electronic resource.
The user's user profile may be specific to the content platform 150 or a selected machine learning model owned by the content platform 150. For example, as described in more detail below with reference to fig. 3, each content platform 150 may request that the application 112 generate or update a user profile specific to that content platform 150.
The user profile of the user may be in the form of a feature vector. For example, the user profile may be an n-dimensional feature vector. Each of the n dimensions may correspond to a particular feature, and the value of each dimension may be the value of the feature of the user. For example, one dimension may be for whether a particular digital component is presented to (or interacted with by) a user. In this example, the value of the feature may be a "1" if the digital component is presented to (or interacted with by) the user, or a "0" if the digital component is not already presented to (or interacted with) the user. An example process for generating a user profile of a user is shown in fig. 3 and described below.
In some implementations, the content platform 150 may want to train the machine learning model based on additional signals, such as contextual signals, signals related to a particular digital component, or the application 112 may not be aware ofOr a signal related to the user that the application 112 may not have access to, such as the current weather at the user's location. For example, the content platform 150 may want to train a machine learning model to predict whether a user will interact with a particular digital component if that digital component is presented to the user in a particular context. In this example, for each presentation of the digital component to the user, the contextual signal may include the geographic location of the client device 110 at the time (if the user grants permission), a signal describing the content of the electronic resource presented with the digital component, and a signal describing the digital component, such as the content of the digital component, the type of digital component, the location at which the digital component is presented on the electronic resource, and so forth. In another example, one dimension may be for whether a digital component presented to a user is of a particular type. In this example, the value may be 1 for travel, 2 for cooking, 3 for movies, etc. For convenience of subsequent description, P i Both the user profile and additional signals associated with the ith user profile (e.g., context signals and/or digital component level signals) will be represented.
The application 112 generates a user profile P for the user i Is a fraction (204) of (b). In this example, the application 112 generates a user profile P i One for each computing system of MPC cluster 130. Note that each share may itself be a random variable that itself does not reveal anything about the user profile. The two shares will need to be combined to obtain the user profile. If the MPC cluster 130 includes more computing systems that participate in the training of the machine learning model, the application 112 will generate more shares, one for each computing system. In some implementations, to protect user privacy, the application 112 can use a pseudo-random function to profile the user P i Divided into shares. That is, the application 112 may use a pseudo-random function PRF (P i ) To generate two shares { [ P ] i,1 ],[P i,2 ]}. The exact split may depend on the secret sharing algorithm and encryption library used by the application 112.
In some implementations, the application 112 may also provide one or more tags to the MPC cluster 130. Although the labels may not be used in training a machine learning model (e.g., k-NN) of some architecture, the labels may be used to fine tune the hyper-parameters (e.g., the value of k) of the control model training process, or to evaluate the quality of the trained machine learning model, or to make predictions, i.e., to determine whether to suggest a user group for the user. The tags may include, for example, one or more of the user group identifiers that are user and accessible to the content platform 150. That is, the tag may include a user group identifier for a user group managed by the content platform 150 or accessible to the content platform 150 by reading. In some implementations, a single tag includes multiple user group identifiers for users. In some implementations, the user's tag may be heterogeneous and include all user groups and additional information that the user includes as members, e.g., whether the user interacted with a given digital component. This enables the k-NN model to be used to predict whether another user will interact with a given digital component. The label of each user profile may indicate the user group membership of the user corresponding to the user profile.
The tags of the user profile predict the user group to which the user corresponding to the input will be added or should be added. For example, based on, for example, similarity between user profiles, labels corresponding to k nearest neighbor user profiles of the input user profile predict a group of users that the user corresponding to the input user profile will join or should join. These predictive labels may be used to suggest user groups to the user or to request the application to add the user to the user group corresponding to the label.
The application 112 may also label each tag if the tag is included i Splitting into shares, e.g. [ label ] i,1 ]And [ label ] i,2 ]. In this way, at the computing system MPC 1 With MPC 2 Without cross-talk between computing system MPCs 1 And MPC 2 Cannot be from [ P ] i,1 ]Or [ P ] i,2 ]Reconstruction P i Or from [ label ] i,1 ]Or [ label ] i,2 ]Reconstruction label i 。
Application 112 encrypts user profile P i Is [ P ] i,1 ]Or [ P ] i,2 ]And/or each markLabel label i Shares of [ label ] i,1 ]Or [ label ] i,2 ](206). In some implementations, the application 112 generates the user profile P i First portion [ P ] i,1 ]And label i Is [ label ] i,1 ]And using a computing system MPC 1 The composite message is encrypted by the encryption key of (a). Similarly, the application 112 generates a user profile P i Second fraction [ P ] i,2 ]And label i Is [ label ] i,2 ]And using a computing system MPC 2 The composite message is encrypted by the encryption key of (a). These functions can be expressed as PubKeyEncrypt ([ P) i,1 ]||[label i,1 ],MPC 1 ) And PubKeyEncrypt ([ P) i,2 ]||[label i,2 ],MPC 2 ) Wherein PubKeyEncrypt indicates the use of MPC 1 Or MPC 2 A public key encryption algorithm for the corresponding public key of (a). The symbol "||" represents a reversible method of composing a complex message from a plurality of simple messages, such as JavaScript object notation (JSON), concise binary object notation (CBOR), or protocol buffers.
The application 112 provides the encrypted shares to the content platform 150 (208). For example, the application 112 may send the encrypted shares of the user profile and the tag to the content platform 150. Since each share uses a computing system MPC 1 Or MPC 2 Is encrypted, the content platform 150 has no access to the user profile or tag of the user.
The content platform 150 may receive shares of the user profile and shares of the tags from a plurality of client devices. The content platform 150 may be configured to upload the share of the user profile to the computing system MPC 1 And MPC 2 To initiate training of the machine learning model. Although the tag may not be used during the training process, the content platform 150 may upload the tag's share to the computing system MPC 1 And MPC 2 For use in evaluating model quality or later querying the model.
The content platform 150 receives a first encrypted share (e.g., pubKeyEncrypt ([ P ]) from each client device 110 i,1 ]||[label i,1 ],MPC 1 ) Uploading to a computing system MPC) 1 (210). Similarly, the content platform 150 converts the second encrypted share (e.g., pubKeyEncrypt ([ P i,2 ]||[label i,2 ],MPC 2 ) Uploading to a computing system MPC) 2 (212). The two uploads may be batched and may include encrypted shares of user profiles and tags received during a particular period of time for training a machine learning model.
In some implementations, the content platform 150 uploads the first encrypted share to the computing system MPC 1 Must match the order in which the content platform 150 uploaded the second encrypted shares to the computing system MPC 2 Is a sequence of (a). This allows the computing system MPC to 1 And MPC 2 Two shares of the same secret, e.g. two shares of the same user profile, can be matched appropriately.
In some implementations, the content platform 150 can explicitly assign the same pseudo-randomly or sequentially generated identifiers to shares of the same secret to facilitate matching. While some MPC techniques may rely on random scrambling (scrambling) of input or intermediate results, the MPC techniques described in this document may not include such random scrambling, but may rely on the order of uploading to match.
In some implementations, operations 208, 210, and 212 may be replaced by alternative processes, where application 112 will [ P ] directly i,1 ]||[label i,1 ]Uploading to MPC 1 And will [ P ] i,2 ]||[label i,2 ]Uploading to MPC 2 . This alternative process may reduce the infrastructure cost of the content platform 150 for supporting operations 208, 210, and 212 and reduce the cost of the content platform in the MPC 1 And MPC 2 To begin training or updating the machine learning model. This eliminates the need for a content platform 150, for example, and the content platform 150 then sends it to the MPC 1 And MPC 2 Is a transmission of data of (a). This reduces the amount of data sent over the network 105 and reduces the complexity of the logic of the content platform 150 in processing such data.
Computing system MPC 1 And MPC 2 A machine learning model is generated (214). Each of whichGenerating a new machine learning model based on user profile data may be referred to as a training session. Computing system MPC 1 And MPC 2 The machine learning model may be trained based on shares of the encrypted user profile received from the client device 110. For example, computing system MPC 1 And MPC 2 The k-NN model may be trained using MPC techniques based on the shares of the user profile.
To minimize or at least reduce encryption computation, and thus minimize or at least reduce the application to a computing system MPC 1 And MPC 2 Above to preserve the computational burden of user privacy and data during both model training and inference, MPC cluster 130 may use random projection techniques (e.g., simHash) to quickly and safely probabilistically quantify two user profiles P i And P j Similarity between them. SimHash is a technique that can quickly estimate the similarity between two data sets. Two user profiles P i And P j Similarity between two user profiles P may be determined by determining a representation of the two user profiles P i And P j Is determined by the hamming distance between the two bit vectors, which is inversely proportional to the cosine distance between the two user profiles with high probability.
Conceptually, for each training session, m random projected hyperplanes u= { U may be generated 1 ,U 2 ,…,U m }. The random projection hyperplane may also be referred to as a random projection plane. Computing system MPC 1 With MPC 2 One purpose of the multi-step computation in between is for each user profile P used in the training of the k-NN model i Creating a length m bit vector B i . In the bit vector B i Each bit B i,j Representing one U of the projection plane j With user profile P i The sign of the dot product of (1), i.e. e 1, m for all j],B i,j =sign(U j ⊙P i ) Wherein +.A dot product of two vectors of equal length is shown. That is, each bit represents the user profile P i Lying in plane U j Which side of (a) is to be used. A bit value of 1 indicates a positive sign and a bit value of 0 indicates a negative sign.
At each end of the multi-step calculation, two metersComputing system MPC 1 And MPC 2 Generates an intermediate result that includes the plaintext bit vector for each user profile, the share for each user profile, and the share for the tag for each user profile. For example, computing system MPC 1 The intermediate results of (2) may be the data shown in table 1 below. Computing system MPC 2 Will have similar intermediate results but with different shares per user profile and per tag. To add additional privacy protection, each of the two servers in MPC cluster 130 can only obtain half of the m-dimensional bit vector in plaintext, e.g., computing system MPC 1 The first m/2 dimension of all m-dimensional bit vectors is obtained, computing system MPC 2 A second m/2 dimension of all m-dimensional bit vectors is obtained.
| Plaintext bit vector | P i MPC of (C) 1 Share of | label i MPC of (C) 1 Share of |
| … | … | … |
| Bi | … | … |
| Bi+1 | … | … |
| … | … | … |
TABLE 1
Two arbitrary user profile vectors P of given unit length i+.j i And P j It has been shown that, assuming that the number of random projections m is sufficiently large, two user profile vectors P i And P j Bit vector B of (2) i And B is connected with j The hamming distance between them is with high probability to the user profile vector P i And P j The cosine distance between them is proportional.
Based on the intermediate results shown above and because of bit vector B i In plaintext, so each computing system MPC 1 And MPC 2 The corresponding k-NN model may be created independently (e.g., by training) using a k-NN algorithm. Computing system MPC 1 And MPC 2 The same or different k-NN algorithms may be used. An example process for training the k-NN model is shown in FIG. 4 and described below. Once the k-NN model is trained, the application 112 may query the k-NN model to determine whether to add users to the user group.
The application 112 submits an inference request to the MPC cluster 130 (216). In this example, the application 112 sends an inference request to the computing system MPC 1 . In other examples, the application 112 may send the inference request to the computing system MPC 2 . The application 112 may submit an inference request in response to a request from the content platform 150 to submit an inference request. For example, the content platform 150 may request the application 112 to query the k-NN model to determine whether the user of the client device 110 should be added to a particular user group. The request may be referred to as an inference request to infer whether a user should be added to a group of users.
To initiate an inference request, the content platform 150 may send an inference request token M to the application 112 infer . Inferring a request token M infer Enabling servers in the MPC cluster 130 to verify that the application 112 is authorized to query a particular machine learning model owned by a particular domain. If model access control is optional, then infer pleaseSolving for token M infer Is optional. Inferring a request token M infer There may be the following items shown and described in table 2 below.
TABLE 2
In this example, request token M is inferred infer Including seven items and a digital signature generated based on the seven items using the private key of the content platform 150. eTLD+1 is the effective top level field (eTLD) plus one level more than the common suffix. An example eTLD+1 is "sample. Com", where ". Com" is the top-level domain.
To request inference for a particular user, the content platform 150 may generate an inference request token M infer And sends the token to the application 112 running on the user's client device 110. In some implementations, the content platform 150 encrypts the inferred request token M using the public key of the application 112 infer So that only the application 112 can decrypt the inferred request token M using its secret private key corresponding to the public key infer . That is, the content platform may send PubKeyEnc (M) to the application 112 infer ,application_public_key)。
The application 112 may decrypt and verify the inferred request token M infer . The application 112 may use its private key to decrypt the encrypted inferred request token M infer . The application 112 may verify the inferred request token M by infer : (i) Verifying the digital signature using a public key of the content platform 150 corresponding to a private key of the content platform 150 used to generate the digital signature, and (ii) ensuring that the token creation timestamp is not stale, e.g., the time indicated by the timestamp is within a threshold amount of time of the current time at which verification is being performed. If it is inferred that the request token M infer If valid, the application 112 may query the MPC cluster 130.
Conceptually, the inference request may include a model identifier of a machine learning model, a current user profile P i K (number of nearest neighbors to be acquired), optionalAdditional signals (e.g., context signals or digital component signals), aggregation functions, and aggregation function parameters. However, to prevent user profile P i Leakage in plain text to computing system MPC 1 Or MPC 2 Thereby protecting user privacy, the application 112 may profile the user P i Splitting into separate MPCs 1 And MPC 2 Is [ P ] i,1 ]And [ P ] i,2 ]. The application 112 may then, for example, randomly or pseudo-randomly select two computing system MPCs 1 Or MPC 2 One for the query. If the application 112 selects a computing system MPC 1 The application 112 may send the computing system MPC1 a first share Pi,1]And an encrypted version of the second share (e.g., pubKeyEncrypt ([ Pi, 2)],MPC 2 ) A) a single request. In this example, the application 112 uses a computing system MPC 2 Encrypting the second portion [ Pi,2 ] with the public key]To prevent computing system MPC 1 Access [ P i,2 ]This will cause the computing system MPC to 1 Can be from [ P ] i,1 ]And [ P ] i,2 ]Reconstructing user profile P i 。
As described in more detail below, the computing system MPC 1 And MPC 2 K nearest neighbors to the user profile Pi are cooperatively calculated. Computing system MPC then 1 And MPC 2 One of several possible machine learning techniques (e.g., binary classification, multi-class classification, regression, etc.) may be used to determine whether to add a user to a user group based on k nearest neighbor user profiles. For example, the aggregation function may identify machine learning techniques (e.g., binary, multi-class, regression), and the aggregation function parameters may be based on the aggregation function. The aggregation function may define a calculation, such as a summation, a logical AND OR OR OR another suitable function performed using parameters. For example, the aggregation function may be in the form of an equation that includes the function and parameters used in the equation.
In some implementations, the aggregate function parameters can include user group identifiers for the user groups for which the content platform 150 is querying the k-NN model for users. For example, the content platform 150 may want to know whether to add a user to itA user group associated with hiking and having a user group identifier "hiking". In this example, the aggregation function parameter may include a "hiking" user group identifier. Typically, a computing system MPC 1 And MPC 2 Whether to add a user to a user group may be determined based on the number of k nearest neighbors that are members of the user group (e.g., based on their labels).
MPC cluster 130 provides the inferred results to application 112 (218). In this example, the computing system MPC that received the query 1 The inference results are sent to the application 112. The inference results may indicate whether the application 112 should add a user to zero or more user groups. For example, the user group result may specify a user group identifier for the user group. However, in this example, the computing system MPC 1 The user group will be known. To prevent this, the computing system MPC 1 The share of the inferred result can be calculated and the computing system MPC 2 Another share of the same inferred result may be calculated. Computing system MPC 2 May be directed to a computing system MPC 1 An encrypted version of its share is provided, where the share is encrypted using the public key of the application 112. Computing system MPC 1 The application 112 may be provided with a share of its inferred results and a computing system MPC 2 An encrypted version of the shares of the user group result. Application 112 may decrypt the computing system MPC 2 And calculates the inferred result from the two shares. An example process for querying the k-NN model to determine whether to add a user to a user group is shown in FIG. 5 and described below. In some implementations, to prevent computing system MPC 1 Fake computing system MPC 2 As a result of (a), computing system MPC 2 The results of the application 112 are digitally signed before or after they are encrypted using the public key of the application. Application 112 uses MPC 2 To verify a computing system MPC 2 Is a digital signature of (a).
The application 112 updates the user group list of the user (220). For example, if the inference result is to add a user to a particular user group, the application 112 may add the user to the user group. In some implementations, the application 112 can prompt the user to grant permission to add the user to the user group.
The application 112 sends a request for content (222). For example, the application 112 may send a request for a digital component to the content platform 150 in response to loading an electronic resource having a digital component slot. In some implementations, the request can include one or more user group identifiers for user groups that include the user as a member. For example, the application 112 may obtain one or more user group identifiers from the user group list and provide the user group identifier(s) with the request. In some implementations, techniques may be used to prevent a content platform from being able to associate a user group identifier with a user, application 112, and/or client device 112 from which a request was received.
The content platform 150 sends the content to the application 112 (224). For example, the content platform 150 may select a digital component based on the user group identifier(s) and provide the digital component to the application 112. In some implementations, the content platform 150 cooperates with the application 112 to select the digital component based on the user group identifier(s) without revealing the user group identifier(s) from the application 112.
The application 112 displays or otherwise implements the received content (226). For example, the application 112 may display the received digital components in a digital component slot of the electronic resource.
Example procedure for generating user Profile
FIG. 3 is a flow chart illustrating an example process 300 for generating a user profile and transmitting shares of the user profile to an MPC cluster. The operations of process 300 may be implemented, for example, by client device 110 of fig. 1, such as by application 112 running on client device 110. The operations of process 300 may also be implemented as instructions stored on one or more computer-readable media, which may be non-transitory, and execution of the instructions by one or more data processing apparatus may cause the one or more data processing apparatus to perform the operations of process 300.
The application 112 executing on the user's client device 110 receives the data of the event (302). The event may be, for example, a presentation of an electronic resource at the client device 110, a presentation of a digital component at the client device 110, a user interaction with an electronic resource or digital component at the client device 110, or a conversion of a digital component, or a lack of a user interaction with an electronic resource or digital component of a presentation, or a lack of a conversion of an electronic resource or digital component of a presentation. When an event occurs, the content platform 150 may provide data related to the event to the application 112 for use in generating a user profile for the user.
The application 112 may generate a different user profile for each content platform 150. That is, the user and the user profile for a particular content platform 150 may include only event data received from that particular content platform 150. This protects user privacy by not sharing data related to events of other content platforms with the content platform. In some implementations, upon request by the content platform 150, the application 112 can generate a different user profile for each machine learning model owned by the content platform 150. Different machine learning models may require different training data based on design goals. For example, a first model may be used to determine whether to add a user to a user group. A second model may be used to predict whether a user will interact with the digital component. In this example, the user profile of the second model may include additional data that the user profile of the first model does not have, e.g., whether the user is interacting with the digital component.
The content platform 150 may update the token M with the profile update In the form of a transmission of event data. Profile update token M update With the following items shown and described in table 3 below.
/>
TABLE 3 Table 3
The model identifier identifies a machine learning model, e.g., a k-NN model, that the user profile will use to train or use to make user group inferences. The profile record is an n-dimensional feature vector that includes event-specific data, such as the type of event, electronic resources or digital components, the time at which the event occurred, and/or other suitable event data that the content platform 150 wants to use in training a machine learning model and making user group inferences. A digital signature is generated based on the seven items using the private key of the content platform 150.
In some embodiments, to protect the update token M during transmission updat The content platform 150 is updating the token M update Encrypting update token M prior to sending to application 112 update . For example, the content platform 150 may encrypt the update token M using the public key of the application update (e.g., pubKeyEnc (M) update ,application_public_key))。
In some implementations, the content platform 150 can send event data to the application 112 without updating the token M with a profile update In the form of (a) encodes event data or update requests. For example, scripts running within the application 112 that originate from the content platform 150 may send event data and update requests directly to the application 112 via a script API, where the application 112 relies on a security model based on world wide web consortium (W3C) origin and/or HTTPS (hypertext transfer protocol security) to protect the event data and update requests from forgeries or leaks.
The application 112 stores the data of the event (304). If the event data is encrypted, the application 112 may decrypt the event data using its private key, which corresponds to the public key used to encrypt the event data. If event data is used to update token M update In the form of a program, the application 112 may verify the update token M before storing the event data update . The application 112 may verify the update token M by update : (i) Verifying the digital signature using a public key of the content platform 150 corresponding to a private key of the content platform 150 used to generate the digital signature, and (ii) ensuring that the token creation timestamp is not stale, e.g., the time indicated by the timestamp is at the current time of the ongoing verificationWithin a threshold amount of time. If the token M is updated update Effectively, the application 112 may store event data, for example, by storing an n-dimensional profile record. If any of the validations fail, the application 112 may ignore the update request, for example, by not storing event data.
For each machine learning model, for example, for each unique model identifier, the application 112 may store event data for that model. For example, the application 112 may maintain a data structure for each unique model identifier that includes a set of n-dimensional feature vectors (e.g., update the profile record of the token), and an expiration time for each feature vector. Each feature vector may include feature values for features related to events of a user of client device 110. An example data structure for the model identifier is shown in table 4 below.
| Feature vector | Expiration of |
| n-dimensional feature vector | Expiration time |
| … | … |
TABLE 4 Table 4
Upon receipt of a valid update token M update In this case, the application 112 may update the token M by update Feature vector and expiration time added to the update token M update The data structure of the model identifier in (c) is updated. Periodically, the application 112 may clear the expired feature vector from the data structure to reduce the memory size.
The application 112 determines whether to generate a user profile (306). For example, the application 112 may generate a user profile for a particular machine learning model in response to a request from the content platform 150. The request may be to generate a user profile and return the share of the user profile to the content platform 150. In some implementations, the application 112 may upload the generated user profiles directly to the MPC cluster 130, e.g., rather than send them to the content platform 150. To ensure the security of the request to generate and return shares of the user profile, the content platform 150 may send an upload token M to the application 112 upload 。
Upload token M upload May have an update token M update Similar structure, but with different operations (e.g., "update server" instead of "cumulative user profile"). Upload token M upload Additional items for operating delays may also be included. The operational delay may instruct the application 112 to delay computing and uploading shares of the user profile while the application 112 accumulates more event data, such as more feature vectors. This enables the machine learning model to capture user event data immediately before and after some key event (e.g., joining a user group). The operation delay may specify a delay period. In this example, the digital signature may be generated based on the other seven items and the operating delays in table 3 using the private key of the content platform. The content platform 150 may use the public key of the application to update the token M update Encrypting upload token M in a similar manner upload For example PubKeyEnc (M upload Application_public_key) to protect the upload token M during transmission upload 。
Application 112 may receive upload token M upload If uploading token M upload Encrypted, then decrypt the upload token M upload And verifies the upload token M upload . The verification may be similar to updating the token M update The manner in which it is verified. The application 112 may verify the upload token M by upload : (i) Verifying the digital signature using the public key of the content platform 150 corresponding to the private key of the content platform 150 used to generate the digital signatureName, and (ii) ensure that the token creation timestamp is not stale, e.g., the time indicated by the timestamp is within a threshold amount of time of the current time at which verification is being performed. If uploading token M upload If valid, the application 112 may generate a user profile. If any of the verifications fail, the application 112 may ignore the upload request, e.g., by not generating a user profile.
In some implementations, the content platform 150 may request the application 112 to upload the user profile without uploading the token M with the profile upload In the form of (a) encodes an upload request. For example, scripts running within the application 115 that originate from the content platform 150 may send the upload request directly to the application 115 via a script API, where the application 115 relies on a security model based on the W3C origin and/or HTTPS to protect the upload request from forgeries or leaks.
If it is determined that the user profile is not to be generated, the process 300 may return to operation 302 and await additional event data from the content platform 150. If it is determined to generate a user profile, application 112 generates a user profile (308).
The application 112 may generate a user profile based on stored event data (e.g., data stored in the data structure shown in table 4). The application 112 may be based on a model identifier (e.g., upload token M) included in the request upload The content platform eTLD+1 field of item 1 and the model identifier of item 2) to access the appropriate data structure.
The application 112 may calculate the user profile by aggregating n-dimensional feature vectors in the data structure in the learning period that has not expired. For example, the user profile may be an average of n-dimensional feature vectors in a data structure in a learning period that has not expired. The result is an n-dimensional feature vector representing the user in the profile space. Alternatively, the application 112 may normalize the n-dimensional feature vector to a unit length, for example, using L2 normalization. The content platform 150 may specify an optional learning period.
In some implementations, the decay rate can be used to calculate a user profile. Since there may be many content platforms 150 that use the MPC cluster 130 to train machine learning models, and each content platform 150 may have multiple machine learning models, storing user feature vector data may result in significant data storage requirements. The use of decay techniques may substantially reduce the amount of data stored at each client device 110 for the purpose of generating a user profile for training a machine learning model.
Assume that for a given machine learning model, there are k eigenvectors { F 1 ,F 2 ,…F k -age (record_age_in_seconds) and corresponding age (record_age_in_seconds) i ) Each of the feature vectors is an n-dimensional vector. The application 112 may use the following relationship 1 to calculate the user profile:
relationship 1:
in this relationship, the parameter record_age_in_seconds i Is the amount of time in seconds that the profile record has been stored at the client device 110, and the parameter decay_rate_in_seconds is the decay rate in seconds of the profile record (e.g., at the update token M update Received in item 6). In this way, the updated feature vectors carry more weight. This also enables the application 112 to avoid storing feature vectors and store profile records with only constant storage. The application 112 only has to store the n-dimensional vector P and the timestamp user_profile_time for each model identifier, rather than storing a plurality of separate feature vectors for each model identifier. This greatly reduces the amount of data that must be stored at the client device 110, many of which typically have limited data storage capacity.
To initialize the n-dimensional vector user profile P and the timestamp, the application may set the vector P to an n-dimensional vector (where the value of each dimension is zero) and set the user_profile_time to epoch (epoch). In order to use the new feature vector F at any time x Updating user profile P, application 112 may use relationship 2 below:
relationship 2:
when updating the user profile with relationship 2, the application 112 may also update the user profile time to the current time (current_time). Note that if the application 112 calculates the user profile using the decay rate algorithm described above, operations 304 and 308 are omitted.
The application 112 generates shares of the user profile (310). The application 112 may use a pseudo-random function to profile the user P i (e.g., n-dimensional vector P) split into shares. That is, the application 112 may use a pseudo-random function PRF (P i ) Generating a user profile P i Is { [ P ] i,1 ],[P i,2 ]}. The exact split may depend on the secret sharing algorithm and encryption library used by the application 112. In some implementations, the application uses a Shamir secret sharing scheme. The application 112 may also generate shares for the tags if the shares for one or more tags are being provided.
Application 112 encrypts user profile P i Share of { [ P ] i,1 ],[P i,2 ]} (312). For example, as described above, the application 112 may generate a composite message including the user profile and the shares of the tag, and encrypt the composite message to obtain an encrypted result PubKeyEncrypt ([ P) i,1 ]||[label i,1 ],MPC 1 ) And PubKeyEncrypt ([ P) i,2 ]||[label i,2 ],MPC 2 ). Encrypting the shares using the encryption key of the MPC cluster 130 prevents the content platform 150 from having access to the clear text user profile. The application 112 sends the encrypted shares to the content platform (314). Note that if the application 112 sends the secret shares directly to the computing system MPC 1 And MPC 2 Operation 314 is omitted.
Example procedure for generating and Using machine learning models
FIG. 4 is a flow chart illustrating an example process 400 for generating a machine learning model. The operations of process 400 may be implemented, for example, by MPC cluster 130 of fig. 1. The operations of process 400 may also be implemented as instructions stored on one or more computer-readable media, which may be non-transitory, and execution of the instructions by one or more data processing apparatus may cause the one or more data processing apparatus to perform the operations of process 400.
MPC cluster 130 obtains shares of the user profile (402). The content platform 150 may request that the MPC cluster 130 train the machine learning model by sending shares of the user profile to the MPC cluster 130. The content platform 150 may access encrypted shares received from the client device 110 for the machine learning model over a given period of time and upload those shares to the MPC cluster 130.
For example, the content platform 150 may provide the computing system MPC with 1 Transmitting a profile P for each user i And its tag (e.g., pubKeyEncrypt ([ P) i,1 ]||[label i,1 ],MPC 1 ). Similarly, the content platform 150 may provide the computing system MPC with a capability to 2 Transmitting a profile P for each user i And its tagged encrypted second share (e.g., pubKeyEncrypt ([ P) i,2 ]||[label i,2 ))。
In some embodiments where the application 112 sends the secret share of the user profile directly to the MPC cluster 130, the content platform 150 may request the MPC cluster 130 to train the machine learning model by sending a training request to the MPC cluster 130.
Computing system MPC 1 And MPC 2 A random projection plane is created (404). Computing system MPC 1 And MPC 2 M random projection planes u= { U may be created cooperatively 1 ,U 2 ,…,U m }. These random projection planes should be maintained as two computing systems MPC 1 With MPC 2 Secret shares between them. In some implementations, a computing system MPC 1 And MPC 2 A random projection plane is created and its confidentiality is maintained using Diffie-Hellman key exchange techniques.
As described in more detail below, the computing system MPC 1 And MPC 2 The share of each user profile will be projected onto each random projection plane and it is determined for each random projection plane whether the share of the user profile is on one side of the random projection plane. ThenEach computing system MPC 1 And MPC 2 A bit vector in the secret share may be constructed from the secret share of the user profile based on the result of each random projection. Partial knowledge of the user's bit vector (e.g., whether the user profile Pi is in the projection plane U k One side of (c) allows computing system MPC to 1 Or MPC 2 Obtaining information about P i This is for a user profile P with a unit length i Is incremental. To prevent computing system MPC 1 And MPC 2 Gaining access to this information (e.g., in embodiments where user privacy and/or data security are required or preferred), in some embodiments the random projection plane is in a secret share, thus computing system MPC 1 And MPC 2 None have access to the random projection plane of the plaintext. In other embodiments, a random bit flip pattern may be applied on the random projection result using a secret sharing algorithm, as described in optional operations 406-408.
To demonstrate how the bits are flipped via the secret shares, it is assumed that there are two secrets x and y, the values of which are zero or one with equal probability. Equation operation [ x]==[y]The bits of x will be flipped (if y= 0) and the bits of x will be held (if y= 1). In this example, the operation will randomly flip the bit x with a 50% probability. This operation may require two computing systems MPC 1 With MPC 2 Remote Procedure Call (RPC) between, and the number of rounds depends on the data size and the secret sharing algorithm selected.
Each computing system MPC 1 And MPC 2 An m-dimensional vector of secrets is created (406). Computing system MPC 1 An m-dimensional vector { S } of secrets may be created 1 ,S 2 ,…S m -each element S i With equal probability having a value of zero or one. Computing system MPC 1 Splitting its m-dimensional vector into two shares, the first share { [ S ] 1,1 ],[S 2,1 ],…[S m,1 ]Second share { [ S ] 1,2 ],[S 2,2 ],…[S m,2 ]}. Computing system MPC 1 The first share secret may be kept and the second share provided to the computing system MPC 2 . However, the method is thatThereafter, computing system MPC 1 The m-dimensional vector { S may be discarded 1 ,S 2 ,…S m }。
Computing system MPC 2 An m-dimensional vector { T } of secrets can be created 1 ,T 2 ,…T m -wherein each element T i With a value of zero or one. Computing system MPC 2 Splitting its m-dimensional vector into two shares, the first share { [ T ] 1,1 ],[T 2,1 ],…[T m,1 ]Second share { [ T ] 1,2 ],[T 2,2 ],…[T m,2 ]}. Computing system MPC 2 The first share secret may be kept and the second share provided to the computing system MPC 1 . Computing system MPC then 2 The m-dimensional vector { T may be discarded 1 ,T 2 ,…T m }。
Two computing systems MPC 1 And MPC 2 The share of the bit-flipped pattern is calculated (408) using secure MPC techniques. Computing system MPC 1 And MPC 2 MPC with computing system may be used 1 With MPC 2 The secret share MPC equality test of multiple round trips between to calculate the share of the bit-flipping pattern. The bit flip mode may be based on the operations [ x ] described above ]==[y]. That is, the bit flip pattern may be { S ] 1 ==T 1 ,S 2 ==T 2 ,…S m ==T m }. Let each ST i =(S i ==T i ). Each ST i Having a value of 0 or 1. After completion of MPC operations, computing system MPC 1 First share with bit flipped pattern { [ ST ] 1,1 ],[ST 2,1 ],…[ST m,1 ]}, and computing system MPC 2 Second share with bit flipped pattern { [ ST ] 1,2 ],[ST 2,2 ],…[ST m,2 ]}. Each ST i Is such that the two computing systems MPC 1 With MPC 2 Can be used to perform MPC on two computing systems 1 And MPC 2 The bits in the bit vector are flipped in an opaque manner.
Each computing system MPC 1 And MPC 2 Projecting its share of each user profile to each random projection planeAnd (410). That is, for a computing system MPC 1 Each user profile of a received share, computing system MPC 1 The share P can be used i,1 ]Projected onto each projection plane U j And (3) upper part. For each share of the user profile and for each random projection plane U j This operation is performed resulting in a matrix R in z x m dimensions, where z is the number of available user profiles and m is the number of random projection planes. Each element R in the matrix R i,j By calculating the projection plane U j And share [ P ] i,1 ]Dot product between, e.g. R i,j =U j ⊙[P i,1 ]. The operation +.is the dot product of two vectors of equal length.
If bit flipping is used, then the computing system MPC 1 Can be used in a computing system MPC 1 With MPC 2 Bit-flipping pattern of secret sharing between to modify element R in matrix i,j A value of one or more elements of (a) a group of elements. For each element R in the matrix R i,j Computing system MPC 1 Can calculate [ ST ] j,1 ]==sign(R i,j ) As element R i,j Is a value of (2). Thus, if element R i,j Bit in bit flip mode [ ST ] j,1 ]The corresponding bit in (a) has a zero value, element R i,j The sign of (c) will be flipped. The calculation may require to a computing system MPC 2 Is a plurality of RPCs of (a).
Similarly, for a computing system MPC 2 Each user profile of a received share, computing system MPC 2 The share P can be used i,2 ]Projected onto each projection plane U j And (3) upper part. For each share of the user profile and for each random projection plane U j Performing this operation results in a matrix R' in z x m dimensions, where z is the number of available user profiles and m is the number of random projection planes. Each element R in the matrix R i,j ' plane of projection U can be calculated j And share [ P ] i,2 ]Dot product between, e.g. R i, ’ j =U j ⊙[P i,2 ]. The operation +.is the dot product of two vectors of equal length.
If bit flipping is used, then the computing system MPC 2 Can be used in a computing system MPC 1 With MPC 2 Bit-flipping pattern of secret sharing between to modify element R in matrix i,j The value of one or more elements in'. For each element R in the matrix R i,j ' computing System MPC 2 Can calculate [ ST ] j,2 ]==sign(R i,j ') as element R i,j ' value. Thus, if element R i,j Bit ST in' bit flip mode j The corresponding bit in (a) has a zero value, element R i,j The' symbol will be flipped. The calculation may require to a computing system MPC 1 Is a plurality of RPCs of (a).
Computing system MPC 1 And MPC 2 The bit vector is reconstructed 412. Computing system MPC 1 And MPC 2 The bit vector of the user profile may be reconstructed based on matrices R and R' having exactly the same size. For example, computing system MPC 1 A portion of the columns of matrix R may be sent to computing system MPC 2 And computing system MPC 2 The remainder of the columns of matrix R' may be sent to the MPC 1 . In a particular example, a computing system MPC 1 The first half of the columns of matrix R may be sent to computing system MPC 2 And computing system MPC 2 The latter half of the columns of matrix R' may be sent to the MPC 1 . While columns are used for horizontal reconstruction in this example and preferably for protecting user privacy, rows may be used for vertical reconstruction in other examples.
In this example, the computing system MPC 2 The first half of the columns of matrix R' may be combined with a slave computing system MPC 1 The first half of the columns of the received matrix R are combined to reconstruct the first half (i.e., m/2 dimension) of the bit vector of the plaintext. Similarly, computing system MPC 1 The second half of the columns of matrix R may be combined with a slave computing system MPC 2 The second half of the columns of the received matrix R' are combined to reconstruct the second half (i.e., m/2 dimension) of the bit vector of the plaintext. Conceptually, a computing system MPC 1 And MPC 2 The correspondence in the two matrices R and R' has now been combinedThe shares are used to reconstruct the bit matrix B of the plaintext. The bit matrix B will include a bit vector of projection results (projected onto each projection plane) for each user profile, where the shares for each user profile are received from the content platform 150 for the machine learning model. Each of the two servers in MPC cluster 130 has half of the plaintext bit matrix B.
However, if bit flipping is used, then the computing system MPC 1 And MPC 2 The bits of the elements in matrices R and R' have been flipped in a random pattern that is fixed for the machine learning model. This random bit flip mode is specific to two computing systems MPC 1 And MPC 2 Any of which is opaque such that the computing system MPC 1 And MPC 2 No original user profile can be inferred from the bit vector of the projection result. Encryption designs also prevent MPC by dividing the bit vector horizontally 1 Or MPC 2 Inferring an original user profile, i.e., computing system MPC 1 The second half of the bit vector of the plaintext projection result is kept and the computing system MPC 2 The first half of the bit vector of the plaintext projection result is held.
Computing system MPC 1 And MPC 2 A machine learning model is generated (414). Computing system MPC 1 The k-NN model may be generated using the second half of the bit vector. Similarly, computing system MPC 2 The k-NN model may be generated using the first half of the bit vector. Generating a model using bit flipping and horizontal partitioning of the matrix applies a deep defense principle to protect the confidentiality of the user profile used to generate the model.
Typically, each k-NN model represents a cosine similarity (or distance) between user profiles of a group of users. By computing system MPC 1 The generated k-NN model represents the similarity between the second half of the bit vector and is used by the computing system MPC 2 The generated k-NN model represents similarity between the first half of the bit vectors. For example, each k-NN model may define cosine similarity between half of its bit vectors.
By computing system MPC 1 And MPC 2 The two generated k-NN models may be referred to as k-NN models, which have the aboveThe unique model identifier. Computing system MPC 1 And MPC 2 Their models and shares of the tags for each user profile used to generate the model may be stored. The content platform 150 may then query the model to infer the user group of users.
Example procedure for inferring user groups using machine learning models
FIG. 5 is a flow chart illustrating an example process 500 for adding users to a user group using a machine learning model. The operations of process 500 may be implemented, for example, by MPC cluster 130 and client device 110 of fig. 1 (e.g., application 112 running on client device 110). The operations of process 500 may also be implemented as instructions stored on one or more computer-readable media, which may be non-transitory, and execution of the instructions by one or more data processing apparatus may cause the one or more data processing apparatus to perform the operations of process 500.
MPC cluster 130 receives an inference request for a given user profile (502). The application 112 running on the user's client device 110 may send an inference request to the MPC cluster 130, for example, in response to a request from the content platform 150. For example, the content platform 150 may send the upload token M to the application 112 infer Submitting an inference request to MPC cluster 130 with requesting application 112. The inference request may be to query whether the user should be added to any number of user groups.
Inferring a request token M infer The share of the user's given user profile, the model identifier of the machine learning model (e.g., k-NN model) and the signature over all of the above information to be used for inference, the owner domain, the number k of nearest neighbors of the given user profile to be used for inference, additional signals (e.g., context or digital component signals), the aggregate function to be used for inference and any aggregate function parameters to be used for inference, and created by the owner domain using the owner domain secret key.
As described above, in order to prevent a given user profile P i Leakage in plain text to computing system MPC 1 Or MPC 2 Thereby protecting the userPrivacy, the application 112 may profile a given user P i Splitting into separate MPCs 1 And MPC 2 Is [ P ] i,1 ]And [ P ] i,2 ]. The application 112 may then send the application to the computing system MPC 1 Transmitting a first share [ P ] with a given user profile i,1 ]And an encrypted version of the second share of the given user profile (e.g., pubKeyEncrypt ([ P) i,2 ],MPC 2 ) A) a single inference request. The inference request may also include an inference request token M infer So that MPC cluster 130 may authenticate the inference request. By sending an inference request comprising the first share and the encrypted second share, the number of outgoing requests sent by the application 112 is reduced, resulting in computation, bandwidth, and battery savings at the client device 110.
In other implementations, the application 112 can compare the first share [ P ] of the given user profile i,1 ]Sending to a computing system MPC 1 And will give a second share of the user profile P i,2 ]Sending to a computing system MPC 2 . By dividing the second share of a given user profile P i,2 ]Sending to a computing system MPC 2 Without going through the computing system MPC 1 The second share does not need to be encrypted to prevent the computing system MPC 1 Accessing a second share P of a given user profile i,2 ]。
Each computing system MPC 1 And MPC 2 K nearest neighbors to the given user profile are identified in the secret share representation (504). Computing system MPC 1 A first share P of a given user profile may be used i,1 ]To calculate half of the position vector for its given user profile. To generate a bit vector, computing system MPC 1 Operations 410 and 412 of process 400 of fig. 4 may be used. That is, the computing system MPC 1 The share P of a given user profile may be projected using a random projection vector generated for the k-NN model i,1 ]And creates a secret share of the bit vector for the given user profile. If bit flipping is used to generate the k-NN model, the computing system MPC 1 The first share { [ ST ] of the bit-flip pattern used to generate the k-NN model may then be used 1,1 ],[ST 2,1 ],…[ST m,1 ]Elements to modify the secret share of the bit vector of a given user profile.
Similarly, computing system MPC 1 May be directed to a computing system MPC 2 Providing an encrypted second share PubKeyEncrypt ([ P) of a given user profile i,2 ],MPC 2 ). Computing system MPC 2 The second share P of the given user profile may be decrypted using its private key i,2 ]And uses the second share P of the given user profile i,2 ]Half of the position vector for its given user profile is calculated. That is, the computing system MPC 2 The share P of a given user profile may be projected using a random projection vector generated for the k-NN model i,2 ]And creates a position vector for a given user profile. If bit flipping is used to generate the k-NN model, the computing system MPC 2 A second share { [ ST ] of the bit-flip pattern used to generate the k-NN model may then be used 1,2 ],[ST 2,2 ],…[ST m,2 ]Elements of the bit vector for a given user profile. Computing system MPC then 1 And MPC 2 The bit vector is reconstructed using horizontal partitioning, as described in operation 412 of fig. 4. After the reconstruction is complete, the computing system MPC 1 The first half of the total bit vector with a given user profile, and computing system MPC 2 The second half of the total bit vector with a given user profile.
Each computing system MPC 1 And MPC 2 K ' nearest neighbor user profiles are identified using half of their given user profile's bit vector and their k-NN model, where k ' =a×k, where a is empirically determined based on actual production data and statistical analysis. For example, a=3 or another suitable number. Computing system MPC 1 The hamming distance between the first half of the total bit vector and the bit vector of each user profile of the k-NN model may be calculated. Computing system MPC then 1 K 'nearest neighbors are identified based on the calculated hamming distances, e.g., k' user profiles with the lowest hamming distances. In other words, the computing system MPC 1 Identifying nearest neighbor uses based on share of a given user profile and k-nearest neighbor model trained using multiple user profilesA collection of user profiles. Example results in tabular form are shown in table 5 below.
| Line ID | Hamming distance (plaintext) | Share of user profile | Tag portion |
| i | di,1 | [Pi,1] | [labeli,1] |
| … | … | … | … |
TABLE 5
In Table 5, each row is for a particular nearest neighbor user profile and includes the information stored by the computing system MPC 1 The hamming distance between the first half of the calculated position vector for each user profile and the position vector for the given user profile. The row for a particular nearest neighbor user profile also includes a first share of the user profile and a first share of a tag associated with the user profile.
Similarly, computing system MPC 2 The hamming distance between the second half of the total bit vector and the bit vector of each user profile of the k-NN model may be calculated. Computing system MPC then 2 Identifying k' nearest based on calculated hamming distancesAdjacent, for example, k' user profiles with the lowest hamming distance. Example results in tabular form are shown in table 5 below.
| Line ID | Hamming distance (plaintext) | Share of user profile | Tag portion |
| j | dj,2 | [Pj,2] | [label j,2 ] |
| … | … | … | … |
TABLE 6
In Table 6, each row is for a particular nearest neighbor user profile and includes the information stored by the computing system MPC 2 The hamming distance between the calculated user profile and the given user profile. The row for a particular nearest neighbor user profile also includes a second share of the user profile and a second share of a tag associated with the user profile.
Computing system MPC 1 And MPC 2 The list of row identifiers (row IDs) and hamming distance pairs may be exchanged with each other. Thereafter, each computing system MPC 1 And MPC 2 Can be independently selected by the same algorithm and input dataK nearest neighbors are selected. For example, computing system MPC 1 Can be found from a computing system MPC 1 And MPC 2 And a row identifier common to both partial query results. For each i in the common row identifier, the computing system MPC 1 Computing a combined hamming distance d from the two partial hamming distances i For example d i =d i,1 +d i,2 . Computing system MPC then 1 Hamming distance d, which may be based on a combination i The common row identifiers are ordered and k nearest neighbors are selected. The k nearest neighbor row identifiers may be represented as id= { ID 1 ,…id k }. It can be demonstrated that if a is sufficiently large, the k nearest neighbors determined in the algorithm described above are true k nearest neighbors with high probability. However, a larger value of a results in high computational cost. In some implementations, a computing system MPC 1 And MPC 2 Engaging in Privacy Set Intersection (PSI) algorithms to determine a privacy set for a MPC from a computing system 1 And MPC 2 And a row identifier common to both partial query results. Furthermore, in some embodiments, the MPC 1 And MPC 2 Participation in enhanced Privacy Set Intersection (PSI) algorithms for MPC of a slave computer system 1 And MPC 2 Line identifier computation d common to both partial query results i =d i,1 +d i,2 And does not go to MPC 1 Or MPC 2 Reveal anything but the disclosure of d i The first k nearest neighbors determined.
It is determined whether to add the user to the user group (506). This determination may be made based on the k nearest neighbor profiles and their associated tags. The determination is also based on the aggregation function used and any aggregation parameters for the aggregation function. The aggregate function may be selected based on the nature of the machine learning problem, such as binary classification, regression (e.g., using arithmetic mean or root mean square), multi-class classification, and weighted k-NN. As described in more detail below, each manner of determining whether to add a user to a user group may include different interactions between the MPC cluster 130 and the applications 112 running on the clients 110.
If it is determined that the user is not to be added to the user group, the application 112 may not add the user to the user group (508). If it is determined to add the user to the user group, the application 112 may add the user to the user group (510), for example, by updating a user group list stored at the client device 110 to include a user group identifier for the user group.
Example binary Classification inference techniques
For binary classification, the inference request may include a threshold, L true And L false As an aggregation function parameter. The tag value is of the boolean type, i.e. true or false. The threshold parameter may indicate that a truth tab must be present to add a user to the user group L true A threshold percentage of k nearest neighbor profiles. Otherwise, the user will be added to user group L false . In one approach, if the number of nearest neighbor user profiles with tag values that are true is greater than the product of the threshold and k, the MPC cluster 130 may instruct the application 112 to add the user to the user group L true (otherwise add to user group L) false ). However, computing system MPC 1 The inference results will be learned, e.g., the group of users that the user should join.
To protect user privacy, the inference request may include a clear text threshold for computing system MPC 1 First portion of [ L ] true,1 ]And [ L ] false,1 ]And for computing system MPC 2 Is encrypted second share PubKeyEncrypt ([ L) true,2 ]||[L false,2 ]||application_public_key,MPC 2 ). In this example, the application 112 may be represented by the symbol L, from [ L ] true,2 ]、[L fasle,2 ]And the public key of the application 112 and generates a composite message and uses the computing system MPC 2 The public key of (c) encrypts the composite message. Slave computing system MPC 1 The inferred responses to the application 112 may include those made by a computing system MPC 1 First portion of the determined inferred result [ L ] result,1 ]And by a computing system MPC 2 Second portion of the determined inferred result [ L ] result,2 ]。
To prevent the second share from being calculated by the computing system MPC 1 Access toAnd thus cause the computing system MPC to 1 Capable of obtaining a clear text inference result, computing system MPC 2 The second share of the inferred result L may be used result,2 ]And optionally digitally signed) version (e.g., pubKeySign (PubKeyEncrypt ([ L) result,2 ],application_public_key),MPC 2 ) Sending to a computing system MPC 1 For inclusion in the inferred response sent to application 112. In this example, the application 112 may use a computing system MPC for generating digital signatures 2 Computing system MPC corresponding to private key of (2) 2 Verify the digital signature and use the second share L with the public key for encrypting the inferred result result,2 ]The private key of the application 112 corresponding to the public key of application _ public _ key to decrypt the second share L of the inferred result result,2 ]。
The application 112 may then select from the first share L result,1 ]And a second share [ L ] result,2 ]Reconstructing the inference result L result . Using digital signatures enables application 112 to detect, for example, by computing system MPC 1 For MPC from a computing system 2 Is a forgery of the result of (a). Depending on the desired security level, which parties operate the computing system of the MPC cluster 130, and the assumed security model, digital signatures may not be required.
Computing system MPC 1 And MPC 2 MPC techniques may be used to determine the share of binary classification results L result,1 ]And [ L ] result,2 ]. In binary classification, label of user profile 1 The value of (a) is zero (false) or one (true). Suppose that the k nearest neighbors selected are identified by an identifier { id } 1 ,…id k Identification, computing system MPC 1 And MPC 2 A sum of labels (sum of labels) of k nearest neighbor user profiles may be calculated, where the sum is represented by the following relationship 3:
relationship 3: sum_of_labels= Σ i∈{id1,…idk} label i
To determine the sum, a computing system MPC 1 Will ID (i.e., { ID 1 ,…id k }) to a computing system MPC 2 . Computing system MPC 2 The number of row identifiers in the ID may be verified to be greater than a threshold that enforces k anonymity. Computing system MPC then 2 The following relationship 4 may be used to calculate a second share of the tag sum [ sum_of_tags ] 2 ]:
Relationship 4: [ sum_of_labels 2 ]=∑ i∈{id1,…idk} [label i,2 ]
The computing system MPC1 may also use the following relationship 5 to calculate the first share of the tag sum [ sum_of_tags ] 1 ]:
Relationship 5: [ sum_of_labels 1 ]=∑ i∈{id1,…idk} [label i,1 ]
If sum_of_labels of tags is the computing system MPC 1 And MPC 2 Confidential information, which should be known as little as possible, then the computing system MPC 1 The first share of the tag sum may be calculated 1 ]Whether or not it is below a threshold, e.g., [ below_threshold ] 1 ]=[sum_of_labels 1 ]<threshold x k. Similarly, computing system MPC 2 A second share of label sum can be calculated 2 ]Whether or not it is below a threshold, e.g., [ below_threshold ] 2 ]=[sum_of_labels 2 ]<threshold×k. Computing system MPC 1 Can continue to pass through [ below_threshold ] 1 ]×[L false,1 ]+(1-[below_threshold 1 ])×[L true,1 ]To calculate the inference result L result,1 ]. Similarly, computing system MPC 2 May pass through [ below_threshold ] 2 ]×[L false,2 ]+(1-[below_threshold 2 ])×[L true,2 ]To calculate [ L ] result,2 ]。
If the sum of tags sum of labs is not confidential information, the computing system MPC 1 And MPC 2 Can be obtained from [ sum_of_labels 1 ]And [ sum_of_labels ] 2 ]And reconstructing sum_of_labels. Computing system MPC then 1 And MPC 2 The parameter below_threshold may be set to sum_of_labes<threshold x k, for example, is a value of one if below a threshold, or a value of zero if not below a threshold.
After calculating the parameter below_threshold, the computing system MPC 1 And MPC 2 Can continue to determine the inferred result L result . For example, computing system MPC 2 L can be set according to the value of below_threshold result,2 ]Set to [ L ] true,2 ]Or [ L ] false,2 ]. For example, if the sum of the tags is not below a threshold, the computing system MPC 2 Can be [ L ] result,2 ]Set to [ L ] true,2 ]Or if the sum of the tags is below a threshold, computing system MPC 2 Can be [ L ] result,2 ]Set to [ L ] false,2 ]. Computing system MPC then 2 The encrypted second share of the inferred result (PubKeyEncrypt (L) result,2 ]Application_public_key)) or a digitally signed version of the result is returned to the computing system MPC 1 。
Similarly, computing system MPC 1 L can be set according to the value of below_threshold result,1 ]Set to [ L ] true,1 ]Or [ L ] false,1 ]. For example, if the sum of the tags is not below a threshold, the computing system MPC 1 Can be [ L ] result,1 ]Set to [ L ] true,1 ]Or if the sum of the tags is below a threshold, computing system MPC 1 Can be [ L ] result,1 ]Set to [ L ] false,1 ]. Computing system MPC 1 The first share of the inferred result L may be used result,1 ]And an encrypted second share of the inferred result [ L ] result,2 ]Is sent to the application 112 as an inferred response. The application 112 may then calculate an inference result based on the two shares, as described above.
Example Multi-class Classification inference techniques
For multi-class classification, the labels associated with each user profile may be classification features. The content platform 150 may specify a lookup table that maps any possible classification values to corresponding user group identifiers. The lookup table may be one of the aggregation function parameters included in the inference request.
Within the k nearest neighbors found, the MPC cluster 130 finds the most frequent tag value. MPC cluster 130 may then find the user group identifier corresponding to the most frequent tag value in a lookup table and request application 112 to add the user to the user group corresponding to the user group identifier, for example, by adding the user group identifier to a list of user groups stored at client device 110.
Similar to binary classification, it may be preferable for a computing system MPC 1 And MPC 2 Hiding the inferred result L result . To do so, the application 112 or the content platform 150 may create two look-up tables that each map a classification value to an inferred result L result Corresponding shares of (a). For example, an application may create a map of classification values to a first share L result1 ]First lookup table and mapping classification value to second share L result2 ]Is included in the first table. From application to computing system MPC 1 The inferred request of (a) may include a request for a computing system MPC 1 Is used for computing system MPC 2 Is an encrypted version of the second lookup table. A computing system MPC may be used 2 Is used to encrypt the second lookup table. For example, a computing system MPC may be used 2 To encrypt a composite message (e.g., pubKeyEncrypt (lookuptable 2) application_public_key, MPC) including the second lookup table and the public key of the application 2 )。
By computing system MPC 1 The sent inferred response may include a response sent by a computing system MPC 1 First share of generated inference results [ L ] result1 ]. Similar to binary classification, to prevent the second share from being split by the computing system MPC 1 Accessing and thus causing a computing system MPC 1 Capable of obtaining a clear text inference result, computing system MPC 2 The second share of the inferred result L may be used result,2 ]And optionally a digital signature) version (e.g., pubKeySign (PubKeyEncrypt ([ L) result,2 ],application_public_key),MPC 2 ) Sending to a computing system MPC 1 For inclusion in the inference results sent to the application 112. The application 112 may be described as from L result1 ]And [ L ] result2 ]Reconstructing the inference result L result 。
Assume that there are problems for multi-class classificationAt w valid tags { l } 1 ,l 2 ,…l w }. To determine the inference results L in multi-class classification result Is [ L ] result1 ]And [ L ] result2 ]Computing system MPC 1 Will ID (i.e., { ID 1 ,…id k }) to a computing system MPC 2 . Computing system MPC 2 The number of row identifiers in the ID may be verified to be greater than a threshold that enforces k anonymity. In general, k in k-NN may be significantly greater than k in k-anonymity. Computing system MPC then 2 The jth tag [ l ] defined using relationship 6 below can be calculated j,2 ]Second frequency fraction [ frequency ] j,2 ]。
Relationship 6:
similarly, computing system MPC 1 Calculate the jth tag [ l ] defined using relationship 7 below j,1 ]First frequency fraction [ frequency ] j,1 ]。
Relationship 7:
let the frequencies of the tags within k nearest neighbors (frequency i ) Insensitive then computing system MPC 1 And MPC 2 Can be derived from the two shares of the tag [ frequency ] i,1 ]And [ frequency ] i,2 ]Reconstruction frequency i . Computing system MPC then 1 And MPC 2 An index parameter (index) can be determined, wherein frequency index Having a maximum value, e.g. index=argmax i (frequency i )。
Computing system MPC then 2 The share L corresponding to the tag with the highest frequency can be looked up in its look-up table result,2 ]And PubKeyEncrypt ([ L) result,2 ]Application_public_key) is returned to the computing system MPC 1 . Computing system MPC 1 The share L corresponding to the tag with the highest frequency can be similarly looked up in its look-up table result,1 ]. Computing system MPC then 1 An application 112 may be sent a message including two shares (e.g., [ L ] result,1 ]And PubKeyEncrypt ([ L) result,2 ]Application_public_key). As described above, the second share may be made by the computing system MPC 2 Digital signature to prevent computing system MPC 1 Fake computing system MPC 2 Is a response to (a) is provided. Then, as described above, the application 112 may calculate an inference result based on the two shares and add the user to the group of users identified by the inference result.
Example regression inference techniques
For regression, the tags associated with each user profile P must be digital. The content platform 150 may specify an ordered list of thresholds, e.g., (- ≡)<t 0 <t 1 <…<t n <Infinity), and a list of user group identifiers, e.g., { L } 0 ,L 1 ,…L n ,L n+1 }. In addition, the content platform 150 may specify an aggregate function, such as an arithmetic mean or root mean square.
Within the k nearest neighbors found, the MPC cluster 130 calculates the average (result) of the label values and then uses this result to find a map to find the extrapolated result L result . For example, the MPC cluster 130 may use the following relationship 8 to identify the tag based on the average of the tag values:
relationship 8:
if result is less than or equal to t 0 ,L result ←L 0 ;
If result is>t n ,L result ←L n+1 ;
If t x <result≤t x+1 ,L result ←L x+1
That is, if the result is less than or equal to the threshold t o Deducing the result L result Is L 0 . If the result is greater than the threshold t n Deducing the result L result Is L n+1 . Otherwise, if the result is greater than the threshold t x And is less than or equal to a threshold t x+1 Deducing the result L result Is L x+1 . Then, for example, by sending a message including the inference result L to the application 112 result Is a inferred response of (a) computing system MPC 1 The requesting application 112 adds the user to the and inference result L result A corresponding group of users.
Similar to the other classification techniques described above, a computing system MPC may be implemented 1 And MPC 2 Hiding the inferred result L result . To do so, the inference request from the application 112 may include a request for the computing system MPC 1 The first share of the tag [ L ] i,1 ]And for computing system MPC 2 Encrypted second share of the tag [ L ] i,2 ](e.g., pubKeyEncrypt ([ L) 0,2 ||…||L n+1,2 ||application_public_key,MPC 2 ))。
By computing system MPC 1 The sent inference results may include those sent by a computing system MPC 1 First share of generated inference results [ L ] result1 ]. Similar to binary classification, to prevent the second share from being split by the computing system MPC 1 Accessing and thus causing a computing system MPC 1 Capable of obtaining a clear text inference result, computing system MPC 2 The second share of the inferred result L may be used result,2 ]And optionally a digital signature) version (e.g., pubKeySign (PubKeyEncrypt ([ L) result,2 ],application_public_key),MPC 2 ) Sent to computing system MPC) 1 For inclusion in the inference results sent to the application 112. The application 112 may be described as from L result,1 ]And [ L ] result,2 ]Reconstructing the inference result L result 。
When the aggregate function is an arithmetic mean, the computing system MPC 1 And MPC 2 The sum of labels is calculated, similar to binary classification. If the sum of the labels is insensitive, the computing system MPC 1 And MPC 2 Two shares may be calculated [ sum_of_labes ] 1 ]And [ sum_of_labels2 ]]Sum_of_labes are then reconstructed based on the two shares. Computing system MPC then 1 And MPC 2 The average value of the labels may be calculated by dividing the sum of the labels by the number of nearest neighbor labels (e.g., by k).
Computing system MPC then 1 The average value may be compared to a threshold value using relationship 8 to identify a first share of the tag corresponding to the average value and to compare the first share L result,1 ]Set to the first share of the identified tag. Similarly, computing system MPC 2 The average value may be compared to a threshold value using relationship 8 to identify a second share of the tag corresponding to the average value and to compare the second share L result,2 ]Set as the second share of the identifier tag. Computing system MPC 2 The second share L may be encrypted using the public key of the application 112 result,2 ](e.g., pubKeyEncrypt ([ L) result,2 ]Application_public_key)) and sends the encrypted second share to the computing system MPC 1 . Computing system MPC 1 The first share and the encrypted second share (which may optionally be digitally signed, as described above) may be provided to the application 112. The application 112 may then add the user to the user group L identified by the tag (e.g., user group identifier) result 。
If the sum of the labels is sensitive, the computing system MPC 1 And MPC 2 The sum_of_labes of the plaintext may not be constructed. Conversely, for Computing system MPC 1 The mask can be calculated i,1 ]=[sum_of_labels 1 ]>t i X k. The calculation may require a computing system MPC 1 With MPC 2 Multiple round trips between. Next, computing system MPC 1 Can calculate +.>And computing system MPC 2 Can calculate. Equality testing in this operation may require a computing system MPC 1 With MPC 2 Multiple round trips between.
Furthermore, computing system MPC 1 Can calculateAnd computing system MPC 2 Can calculate +.>. Then if and only if for,acc i The mpc cluster 130 will return L, which is= 1 i And if use_default= 1, MPC cluster 130 will return L n+1 . This condition can be represented in the following relationship 9.
Relationship 9:
the corresponding password implementations may be represented by the following relationships 10 and 11.
Relationship 10:
relationship 11:
if Li is in plaintext, these calculations do not require a computing system MPC 1 With MPC 2 Any round-trip computation between, and if L i Is the secret share, these calculations involve one round trip calculation. Computing system MPC 1 Two shares of the result (e.g., [ L ] result,1 ]And [ L ] result,2 ]) Provided to the application 112, wherein a second share is provided by the computing system MPC as described above 2 Encrypt and optionally digitally sign. In this way, the application 112 may determine the inference result L result Without the need for computing system MPC 1 Or MPC 2 Any content about the immediate or final result is learned.
For root mean square, computing system MPC 1 Will ID (i.e., { ID 1 ,…id k }) to a computing system MPC 2 . Computing system MPC 2 The number of row identifiers in the ID may be verified to be greater than a threshold that enforces k anonymity. Computing system MPC 2 The following relationship 12 may be used to calculate a second share (e.g., the sum of squares of the tag values) of the sum_of_square_labels parameter.
Relationship 12:
similarly, computing system MPC 1 The following relationship 13 may be used to calculate the first share of the sum_of_square_labes parameter.
Relationship 13:
assuming that the sum_of_square_labes parameter is insensitive, the computing system MPC 1 And MPC 2 From two shares [ sum_of_square_labes ] 1 ]And [ sum_of_square_labes ] 2 ]The sum_of_square_labes parameter is reconstructed. Computing system MPC 1 And MPC 2 The root mean square of a tag may be calculated by dividing sum_of_square_tags by the number of nearest neighbor tags (e.g., by k) and then calculating the square root.
Whether the average is calculated via arithmetic mean or root mean square, the computing system MPC 1 The average value may then be compared to a threshold value using relationship 8 to identify a label corresponding to the average value and to compare the first share L result,1 ]Set as the identified tag. Similarly, computing system MPC 2 The average value may be compared to a threshold value using relationship 8 to identify the tag (or secret share of the tag) corresponding to the average value, and the second share [ L ] result,2 ]Is set as the identifier tag (or the secret share of the identifier tag). Computing system MPC 2 The second share L may be encrypted using the public key of the application 112 result,2 ](e.g., pubKeyEncrypt ([ L) result,2 ]Application_public_key)), and the second share to be encryptedAmount sent to computing system MPC 1 . Computing system MPC 1 The first share and the encrypted second share (which may optionally be digitally signed as described above) may be provided to the application 112 as an inference result. The application 112 may then add the user to the user group L identified by the tag (e.g., user group identifier) result . If the sum of square labs parameter is sensitive, the computing system MPC 1 And MPC 2 A cryptographic protocol similar to that used in the arithmetic mean example may be performed to calculate the share of the inferred result.
In the above techniques to infer the results of the classification and regression problems, all k nearest neighbors have equal impact, e.g., equal weight, on the final inferred result. For many classification and regression problems, if each of the k neighbors is assigned as neighbor and query parameter P i The monotonically decreasing weights as the hamming distance between increases can improve the model quality. A common kernel function with this property is the Epanechnikov (parabolic) kernel function. Both hamming distances and weights can be calculated in plaintext.
Sparse feature vector user profile
When features of an electronic resource are included in a user profile and used to generate a machine learning model, the resulting feature vector may include high radix classification features such as domains, URLs, and IP addresses. These feature vectors are sparse, with most elements having zero values. The application 112 may split the feature vector into two or more dense feature vectors, but the machine learning platform will consume too much client device upload bandwidth to be practical. To prevent this problem, the above-described systems and techniques may be adapted to better handle sparse feature vectors.
When a feature vector of an event is provided to a client device, computer readable code (e.g., script) of the content platform 150 included in the electronic resource may call an application (e.g., browser) API to specify the feature vector of the event. The code or content platform 150 may determine whether (a portion of) the feature vectors are dense or sparse. If the feature vectors (or some portion thereof) are dense, the code may pass as API parameters in a vector of values. If the feature vector (or some portion thereof) is sparse, the code may pass in a map, for example, index key/value pairs for those feature elements having non-zero feature values, where the key is the name or index of such feature elements. If the feature vector (or some portion thereof) is sparse and the non-zero feature value is always the same value, e.g., 1, the code may be passed in a set whose elements are the names or indices of such feature elements.
When aggregating feature vectors to generate a user profile, the application 112 may process dense and sparse feature vectors differently. The user profile (or some portion thereof) computed from the dense vector remains a dense vector. The user profile (or some part thereof) calculated from the mapping remains a mapping until the filling rate is high enough that the mapping no longer saves storage costs. At this point, the application 112 will convert the sparse vector representation to a dense vector representation.
In some implementations, the application 112 can classify some of the feature vectors or some portions of the feature vectors as sparse feature vectors and some as dense feature vectors. The application 112 may then process each type of feature vector differently in generating the user profile and/or shares of the user profile.
If the aggregation function is sum (sum), the user profile (or some portion thereof) computed from the collection may be a map. For example, each feature vector may have a classification feature "visited domain". The aggregation function (i.e., sum) will count the number of times the user accesses the publisher domain. If the aggregation function is a logical OR (OR), the user profile (OR some portion thereof) computed from the collection may still be the collection. For example, each feature vector may have a classification feature "visited domain". The aggregation function (i.e., logical OR) will calculate all publisher domains that the user accesses, regardless of the frequency of access.
To send the user profile to the MPC cluster 130 for ML training and prediction, the application 112 may split the dense portion of the user profile using any standard encryption library that supports secret shares. To split the sparse portion of the user profile without significantly increasing the client device upload bandwidth and computational cost, a Function Secret Sharing (FSS) technique may be used. In this example, the content platform 150 assigns a unique index to each possible element in the sparse portion of the user profile, starting sequentially with 1. The effective range of indexes is assumed to be in the range of [1, N ], including 1 and N.
Having a non-zero value P in a user profile calculated by an application i i.ltoreq.1.ltoreq.N, the application 112 may create two pseudo-random functions (PRFs) g with the following properties i And h i :
For any j, g i (j)+h i (j) =0, where 1+.j+.n and j+.i
Otherwise, g i (j)+h i (j)=P i 。
Using FSS, e.g. by log 2 (N). Times.size_of_tag bit, g i Or h i Can be represented succinctly and is impossible from g i Or h i Inferring i or P i . To prevent violent security attacks, the size_of_tag is typically 96 bits or more. Of the N dimensions, it is assumed that there are N dimensions with non-zero values, where N < N. For each of the n dimensions, the application 112 may construct two pseudo-random functions g and h as described above. Furthermore, the application 112 may encapsulate the compact representations of all n functions G into a vector G and the compact representations of n functions H into another vector H in the same order.
Furthermore, the application 112 may split the dense part of the user profile P into two additional secret shares [ P ] 1 ]And [ P ] 2 ]. Application 112 may then compare [ P ] 1 ]And G to computing System MPC 1 And will [ P ] 2 ]And H is sent to MPC 2 . Sending G requires |G| x log 2 (N)×size_of_tag=n×log 2 (N). Times.size_of_tag bit, when N<<N, this may be much smaller than the N bits required if the application 112 transmits the sparse portion of the user profile in a dense vector.
When computing system MPC 1 Receiving g 1 And computing system MPC 2 Receive h 1 At this time, two computing systems MPC 1 And MPC 2 Shamir secret shares can be created independently. For any j, where 1.ltoreq.j.ltoreq.N, computing system MPC 1 In two dimensions [1,2 Xg ] i (j)]Creates a point on top and computing system MPC 2 In two dimensions [ -1,2 Xh i (j)]Creating a point. If two computing systems MPC 1 And MPC 2 Cooperatively constructing a line y=a through two points 0 +a 1 X, then form relationships 14 and 15.
Relationship 14:2 Xg i (j)=a 0 +a 1
Relationship 15:2 Xh i (j)=a 0 -a 1
If the two relationships are added together, 2 Xg is obtained i (j)+2×h i (j)=(a 0 +a 1 )+(a 0 -a 1 ) This is simplified to a 0 =g i (j)+h i (j) A. The invention relates to a method for producing a fibre-reinforced plastic composite Thus, [1,2 Xg ] i (j)]And [ -1,2 Xh i (j)]Is the ith non-zero element (i.e., P i ) Is used for the two secret shares of (a).
During random projection operations of a machine learning training process, a computing system MPC 1 Can be from [ P ] 1 ]And G independently assemble its vector of secret shares for the user profile. From the above description, it is known that |g|=n, where n is the number of non-zero elements in the sparse part of the user profile. Furthermore, the sparse portion of the user profile is known to be N-dimensional, where N<<N。
Let g= { G 1 ,…g n }. For the j-th dimension, where 1.ltoreq.j.ltoreq.N, and 1.ltoreq.k.ltoreq.n, letSimilarly let h= { H 1 ,…h n }. Computing system MPC 2 Can independently calculateEasy to prove [ SP ] j,1 ]And [ SP ] j,2 ]Is SP j I.e. the j-th element in the original sparse part of the user profileSecret value of the element.
Ream [ SP ] 1 ]={[SP 1,1 ],…[SP N,1 ]I.e. the reconstructed secret share of the sparse part of the user profile in the dense representation. By cascading [ P ] 1 ]And [ SP ] 1 ]Computing system MPC 1 The complete secret share of the original user profile may be reconstructed. Computing system MPC then 1 May randomly project [ P ] 1 ]||[SP 1 ]. Similarly, computing system MPC 2 May randomly project [ P ] 2 ]||[SP 2 ]. After projection, the techniques described above may be used to generate a machine learning model in a similar manner.
FIG. 6 is a block diagram of an example computer system 600 that may be used to perform the operations described above. The system 600 includes a processor 610, a memory 620, a storage device 630, and an input/output device 640. Each of the components 610, 620, 630, and 640 may be interconnected, for example, using a system bus 650. The processor 610 is capable of processing instructions for execution within the system 600. In some implementations, the processor 610 is a single-threaded processor. In another implementation, the processor 610 is a multi-threaded processor. The processor 610 is capable of processing instructions stored in the memory 620 or on the storage device 630.
Memory 620 stores information within system 600. In one implementation, the memory 620 is a computer-readable medium. In some implementations, the memory 620 is a volatile memory unit. In another implementation, the memory 620 is a non-volatile memory unit.
The storage device 630 is capable of providing mass storage for the system 600. In some implementations, the storage device 630 is a computer-readable medium. In various different implementations, the storage device 630 may include, for example, a hard disk device, an optical disk device, a storage device shared by multiple computing devices over a network (e.g., a cloud storage device), or some other mass storage device.
Input/output device 640 provides input/output operations for system 600. In some implementations, the input/output device 640 may include one or more of a network interface device (e.g., an ethernet card), a serial communication device (e.g., an RS-232 port), and/or a wireless interface device (e.g., an 802.11 card). In another implementation, the input/output devices may include a driver device configured to receive input data and transmit output data to external devices 660, such as keyboards, printers, and display devices. However, other implementations may also be used, such as mobile computing devices, mobile communication devices, set-top box television client devices, and the like.
Although an example processing system has been described in FIG. 6, implementations of the subject matter and functional operations described in this specification can be implemented in other types of digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them.
Embodiments of the subject matter and the operations described in this specification can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them. Embodiments of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions, encoded on computer storage medium(s) for execution by, or to control the operation of, data processing apparatus. Alternatively or additionally, the program instructions may be encoded on a manually generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode information for transmission to suitable receiver apparatus for execution by data processing apparatus. The computer storage medium may be, or be included in, a computer-readable storage device, a computer-readable storage substrate, a random or serial access memory array or device, or a combination of one or more of them. Furthermore, while the computer storage medium is not a propagated signal, the computer storage medium may be a source or destination of computer program instructions encoded in an artificially generated propagated signal. Computer storage media may also be or be included in one or more separate physical components or media (e.g., multiple CDs, disks, or other storage devices).
The operations described in this specification may be implemented as operations performed by a data processing apparatus on data stored on one or more computer readable storage devices or received from other sources.
The term "data processing apparatus" encompasses all kinds of apparatus, devices, and machines for processing data, including by way of example a programmable processor, a computer, a system-on-a-chip, or multiple ones or combinations of the foregoing. The apparatus may comprise a dedicated logic circuit, such as an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit). In addition to hardware, the apparatus may include code that creates an execution environment for the computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, a cross-platform runtime environment, a virtual machine, or a combination of one or more of them. The apparatus and execution environment may implement a variety of different computing model infrastructures, such as web services, distributed computing, and grid computing infrastructures.
A computer program (also known as a program, software application, script, or code) can be written in any form of programming language, including compiled or interpreted languages, declarative or procedural languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, object, or other unit suitable for use in a computing environment. The computer program may, but need not, correspond to a file in a file system. A program can be stored in a portion of a file that holds other programs or data (e.g., one or more scripts stored in a markup language document), in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code). A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
The processes and logic flows described in this specification can be performed by one or more programmable processors executing one or more computer programs to perform actions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for performing actions in accordance with instructions and one or more memory devices for storing instructions and data. Typically, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. However, the computer need not have such a device. Furthermore, the computer may be embedded in another device, such as a mobile phone, a Personal Digital Assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device (e.g., a Universal Serial Bus (USB) flash drive), to name a few. Devices suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, such as internal hard disks or removable disks; magneto-optical disk; CD-ROM and DVD-ROM discs. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
To provide for interaction with a user, embodiments of the subject matter described in this specification can be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback, such as visual feedback, auditory feedback, or tactile feedback; and input from the user may be received in any form, including acoustic, speech, or tactile input. In addition, the computer may interact with the user by sending and receiving documents to and from the device used by the user; for example, by sending a web page to a web browser on a user's client device in response to a request received from the web browser.
Embodiments of the subject matter described in this specification can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a client computer having a graphical user interface or a web browser through which a user can interact with an implementation of the subject matter described in this specification), or any combination of one or more such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include local area networks ("LANs") and wide area networks ("WANs"), internetworks (e.g., the internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks).
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. In some embodiments, the server sends data (e.g., HTML pages) to the client device (e.g., for purposes of displaying data to and receiving user input from a user interacting with the client device). Data generated at the client device (e.g., results of user interactions) may be received at the server from the client device.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any invention or of what may be claimed, but rather as descriptions of features specific to particular embodiments of particular inventions. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination. Furthermore, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, although operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Moreover, the separation of various system components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. Additionally, the processes depicted in the accompanying drawings do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may be advantageous.
Claims (15)
1. A computer-implemented method, comprising:
receiving, by a first computing system of a plurality of multi-party computing (MPC) systems, an inference request comprising a first share of a given user profile;
Identifying k nearest neighbor user profiles of the plurality of user profiles that are considered to be most similar to the given user profile, comprising:
identifying, by the first computing system, a first set of nearest neighbor user profiles based on the first share of the given user profile and a first k-nearest neighbor model trained using the plurality of user profiles;
receiving, by the first computing system, data from each of one or more second computing systems of the plurality of MPC systems indicative of a respective second set of nearest neighbor profiles identified by the second computing system based on a respective second share of the given user profile and a respective second k-nearest neighbor model trained by the second computing system;
identifying, by the first computing system, a number k of nearest neighbor user profiles based on the first set of nearest neighbor user profiles and each of the second set of nearest neighbor user profiles;
generating, by the first computing system, a first share of the inference result based on respective labels of each of the k nearest neighbor user profiles, wherein the labels of each user profile predict one or more user groups to which users corresponding to the user profiles are to be added, and wherein the inference result indicates whether a given user corresponding to the given user profile is to be added to the given user group; and
A first share of the inferred result and a respective second share of the inferred result received from each of the one or more second computing systems are provided to the client device by the first computing system.
2. The computer-implemented method of claim 1, wherein the inference request includes an encrypted second share of the given user profile encrypted using an encryption key of the second computing system, the method further comprising sending the encrypted second share of the given user profile to the second computing system.
3. The computer-implemented method of claim 1 or 2, wherein the second share of the inferred result is encrypted using an encryption key of an application of the client device.
4. The computer-implemented method of any preceding claim, wherein:
the labels of each user profile have boolean types for binary classification; and
generating the first share of the inferred result includes:
determining a first share of a sum of tags of k nearest neighbor user profiles;
receiving a second share of a sum of tags of k nearest neighbor user profiles from a second computing system;
determining a sum of the tags based on the first share of the sum of the tags and the second share of the sum of the tags;
Determining that the sum of the tags exceeds a threshold;
responsive to determining that the sum of the labels exceeds a threshold, determining to add the given user to the given group of users as an inference result; and
a first share of the inference result is generated based on the inference result.
5. A computer-implemented method according to any one of claims 1 to 3, wherein:
the tag of each user profile has a value; and
generating the first share of the inferred result includes:
determining a first share of a sum of tags of k nearest neighbor user profiles;
receiving a second share of a sum of tags of k nearest neighbor user profiles from a second computing system;
determining a sum of the tags based on the first share of the sum of the tags and the second share of the sum of the tags;
determining that the given user is to join the given user group as an inference result based on the sum of the labels;
a first share of the inference result is generated based on the inference result.
6. A computer-implemented method according to any of claims 1 to 3, wherein the labels of each user profile have a classification value; and
generating the first share of the inferred result includes,
for each tag in the set of tags:
determining a first share of the frequency with which user profiles of the k nearest neighbor profiles have tags;
Receiving, from the second computing system, a second share of the frequencies at which user profiles of the k nearest neighbor profiles have tags; and
determining the frequency with which the user profile of the k nearest neighbor profiles has a label based on the first and second shares of the frequency with which the user profile of the k nearest neighbor profiles has a label,
the method further comprises the steps of:
identifying the tag with the highest frequency;
assigning a given user to join a given user group corresponding to the tag having the highest frequency as an inference result; and
a first share of the inference result is generated based on the inference result.
7. The computer-implemented method of any preceding claim, further comprising training the first k-nearest neighbor model using a secure MPC process in cooperation with one or more second computing systems using first secret shares of a plurality of user profiles maintained by the first computing system and corresponding second secret shares of a plurality of user profiles maintained by the one or more second computing systems.
8. The computer-implemented method of any preceding claim, further comprising training a first k-nearest neighbor model, the training comprising:
creating a first share of the random bit flip pattern in cooperation with the second computing system;
Generating a first share of the bit matrix by projecting the first share of each of the plurality of user profiles onto a set of random projection planes;
modifying the first share of the bit matrix by modifying one or more bits of the first share of the bit matrix using the first share of the bit flip pattern;
providing a first portion of the first share of the modified bit matrix to a second computing system;
receiving, from the second computing system, a second half of the second share of the modified bit matrix generated by the second computing system using the second share of the user profile and the second share of the random bit flip pattern in the plurality of user profiles; and
the second half of the modified bit matrix and the second half of the modified bit matrix are used by the first computing system to reconstruct a bit vector of the second half of the first bit matrix.
9. The computer-implemented method of claim 8, wherein creating a first share of a random bit flip pattern in cooperation with a second computing system comprises:
generating a first m-dimensional vector comprising a plurality of first elements, each of the first elements having a value of zero or one;
splitting the first m-dimensional vector into two shares;
Providing a first share of the first m-dimensional vector to a second computing system;
receiving a first share of a second m-dimensional vector from a second computing system; and
the first share of the random bit flip pattern is calculated using the shares of the first m-dimensional vector and the second m-dimensional vector in cooperation with the second computing system.
10. The computer-implemented method of claim 1, wherein the plurality of MPC computing systems includes more than two MPC computing systems.
11. The computer-implemented method of claim 1, wherein the client device calculates a given user profile using a plurality of feature vectors, each of the plurality of feature vectors including a feature value related to an event of a user of the client device and a decay rate of each feature vector.
12. The computer-implemented method of claim 1, wherein the client device calculates a given user profile using a plurality of feature vectors, each including feature values related to events of a user of the client device, wherein calculating the given user profile comprises:
classifying one or more of the plurality of feature vectors as sparse feature vectors; and
classifying one or more of the plurality of feature vectors as dense feature vectors, the method further comprising:
Generating a first share of the given user profile and a corresponding second share of the given user profile for the one or more second computing systems using the sparse feature vector and the dense feature vector, wherein generating the first share of the given user profile and the corresponding one or more second shares comprises splitting the sparse feature vector using a Functional Secret Sharing (FSS) technique.
13. A system, comprising:
one or more processors; and
one or more storage devices storing instructions that, when executed by one or more processors, cause the one or more processors to perform the method of any preceding claim.
14. A computer-readable storage medium carrying instructions that, when executed by one or more processors, cause the one or more processors to perform the method of any one of claims 1 to 12.
15. A computer program product comprising instructions which, when executed by a computer, cause the computer to perform the steps of the method according to any one of claims 1 to 12.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| IL277761 | 2020-10-02 | ||
| IL277761A IL277761A (en) | 2020-10-02 | 2020-10-02 | Privacy preserving machine learning using secure multi-party computation |
| PCT/US2021/052540 WO2022072415A1 (en) | 2020-10-02 | 2021-09-29 | Privacy preserving machine learning using secure multi-party computation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116529730A true CN116529730A (en) | 2023-08-01 |
Family
ID=80950820
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202180079925.8A Pending CN116529730A (en) | 2020-10-02 | 2021-09-29 | Privacy preserving machine learning using secure multiparty computing |
Country Status (5)
| Country | Link |
|---|---|
| US (1) | US20230214684A1 (en) |
| EP (1) | EP4208808A1 (en) |
| CN (1) | CN116529730A (en) |
| IL (1) | IL277761A (en) |
| WO (1) | WO2022072415A1 (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230016859A1 (en) * | 2020-07-13 | 2023-01-19 | Inpher, Inc. | Multi-Pivot Partial Quicksort and Oblivious Comparisons of Secret Shared Arithmetic Values in a Multi-Party Computing Setting |
| US11809588B1 (en) | 2023-04-07 | 2023-11-07 | Lemon Inc. | Protecting membership in multi-identification secure computation and communication |
| US11836263B1 (en) | 2023-04-07 | 2023-12-05 | Lemon Inc. | Secure multi-party computation and communication |
| US11868497B1 (en) | 2023-04-07 | 2024-01-09 | Lemon Inc. | Fast convolution algorithm for composition determination |
| US11886617B1 (en) | 2023-04-07 | 2024-01-30 | Lemon Inc. | Protecting membership and data in a secure multi-party computation and/or communication |
| US11874950B1 (en) | 2023-04-07 | 2024-01-16 | Lemon Inc. | Protecting membership for secure computation and communication |
| US11811920B1 (en) | 2023-04-07 | 2023-11-07 | Lemon Inc. | Secure computation and communication |
| US11829512B1 (en) * | 2023-04-07 | 2023-11-28 | Lemon Inc. | Protecting membership in a secure multi-party computation and/or communication |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10395180B2 (en) * | 2015-03-24 | 2019-08-27 | International Business Machines Corporation | Privacy and modeling preserved data sharing |
| US11222138B2 (en) * | 2018-05-29 | 2022-01-11 | Visa International Service Association | Privacy-preserving machine learning in the three-server model |
-
2020
- 2020-10-02 IL IL277761A patent/IL277761A/en unknown
-
2021
- 2021-09-29 CN CN202180079925.8A patent/CN116529730A/en active Pending
- 2021-09-29 EP EP21795207.6A patent/EP4208808A1/en active Pending
- 2021-09-29 US US17/927,923 patent/US20230214684A1/en active Pending
- 2021-09-29 WO PCT/US2021/052540 patent/WO2022072415A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| EP4208808A1 (en) | 2023-07-12 |
| WO2022072415A1 (en) | 2022-04-07 |
| IL277761A (en) | 2022-05-01 |
| US20230214684A1 (en) | 2023-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116529730A (en) | Privacy preserving machine learning using secure multiparty computing | |
| JP7361928B2 (en) | Privacy-preserving machine learning via gradient boosting | |
| JP7422892B2 (en) | Processing machine learning modeling data to improve classification accuracy | |
| JP7471445B2 (en) | Privacy-preserving machine learning for content delivery and analytics | |
| US11843672B2 (en) | Privacy preserving centroid models using secure multi-party computation | |
| JP2024073565A (en) | Privacy preserving machine learning labelling | |
| Xiong et al. | A lightweight privacy protection scheme based on user preference in mobile crowdsensing | |
| Elmisery | Private personalized social recommendations in an IPTV system | |
| Firdaus et al. | A Blockchain-Assisted Distributed Edge Intelligence for Privacy-Preserving Vehicular Networks. | |
| Datta et al. | Private data aggregation over selected subsets of users | |
| Xu et al. | FedG2L: a privacy-preserving federated learning scheme base on “G2L” against poisoning attack | |
| Wu et al. | Privacy‐preserving and efficient user matching based on attribute encryption in mobile social networks | |
| Hong et al. | A designated private set based trapdoor authentication scheme for privacy preserving trust management in decentralized systems | |
| Tran et al. | Privacy-preserving deep learning model with integer quantization and secure multi-party computation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |